b'                    OFFICE O F THE INSPECTOR GENERAL\n                     CORPORATION FOR NATIONAL AND\n                           COMMUNITY SERVICE\n\n\n\n\n                            OIG Letter Report Regarding\n                   Corporation For National and Community Service\n                                  Compliance With\n                   The Government Information Security Reform Act\n\n\n                               OIG Report Number 02-04\n                                  September 26,2001\n\n\n\n\n                          FOR OFFICIAL USE ONLY\n\nThis letter report contains information about Corporation computer security\npractices and vulnerabilities. All recipients of this report should take care to\nprevent the unauthorized disclosure of the report or its contents. Requests for\nrelease of this report or its contents must be referred to the Inspector General.\n\n\n\n\n                           GSA Contract No. GS-23F-8127H\n                           Purchase Order No. 2001062 10003\n                                 Task Order No. 00-01\n\n\n\n\nThis letter report was issued to Corporation management on October 5, 2001. Under\nOMB\'s implementing guidance, the Corporation must provide a plan of action and\nmilestones to address identified security weaknesses by October 3 1, 2001, and thereafter\nprovide quarterly status updates on remedial efforts. Additionally, OIG is required under\nGISRA to conduct follow-up evaluations in 2002. Weaknesses and corrective actions\ncontained in this report will be included in the audit resolution process. The Corporation\nmust make final management decisions no later than April 3, 2002 and complete its\ncorrective actions by October 5,2002.\n\x0c                                                                                      CORPORATION\n                    Letter Report Regarding Compliance With\n                 The Government Information Security Reform Act                       FOR NATIONAL\n                            OIG Report Number 02-04\n\n\n\nIn compliance with section 3535 of Title 44, US Code, as added by the Government\nInformation Security Reform Act of 2000 (Public Law 106-398), CNS OIG performed\nindependent evaluations of the Corporation\'s information security program and practices\nand its compliance with the Act. In performing these evaluations, OIG followed\nimplementing guidance and reporting instructions contained in two memorandums (M-\n01-08 and M-01-24) that the Office of Management and Budget issued on January 16,\n2001 and June 22,2001, respectively.\n\nBetween June and September 2001, OIG engaged KPMG LLP to analyze four elements\nof the Corporation\'s information technology systems, including:\n\n       - Momentum, the Corporation\'s financial management system\n       - System for Programs, Agreements and National Service participants (SPAN)\n       - The Corporation\'s Network\n       - Agency-wide policies and procedures not specific to an individual system\n\nFor its analysis and related testing, KPMG used the CIO Council\'s "Federal Information\nTechnology Security Assessment Framework" and the NIST "Security Self-Assessment\nGuide for Information Technology Systems" consistent with OMB\'s guidelines.\n\nThe assessments generally concluded that the Corporation has done a very respectable\njob of providing agency-wide information security but noted two areas that need\nimprovement:\n\n        - Strengthening program officials\' involvement in assessing security risks,\n         understanding business impacts, and evaluating mitigating security measures\n        - Formally integrating security planning with overall information technology\n         and business strategies and with resource allocation decision making\n\nThe CIO staff reviewed and commented on drafts of the four assessments (Appendices A\nthrough D) attached to this letter report.\n\nBecause this report concerns Corporation computer security practices and vulnerabilities,\nits distribution is limited to the Office of Inspector General and those management and\nCIO personnel of the Corporation who have a need to know the information in order to\nperform their official duties. It is also available upon request to the Office of\nManagement and Budget and the United States Congress. Due to the sensitivity of its\ncontent, this report is exempt from release to the general public.\n\n\n\n\n                                                                                Inspector General\n                                                                                1201 New York Avenue, NW\n                                                                                Washington, DC 20525\n\x0c                                     Office of Inspector General\n                         Corporation for National and Community Service\'s\n                             Letter Report Regarding Compliance With\n                         The Government Information Security Reform Act\n\n                                                Table of Contents\n\n\nRESULTS IN BRIEF .......................................................................................\n\n\nPROJECT OBJECTIVES .................................................................................\n\n\nMETHODOLOGY ...........................................................................................\n\n\nCHART 1 - GISRA ASSESSMENTS SUMMARY.........................................\n\n\nAPPENDIX A - GISRA ASSESSMENT SUMMARY OF AGENCY-WIDE\n    POLICIES AND PROCEDURES ........................................................... A- 1\n\n\nAPPENDIX B - GISRA ASSESSMENT SUMMARY OF LOCAL AND\n    WIDE AREA NETWORKS ...................................................................B- 1\n\n\nAPPENDIX C - GISRA ASSESSMENT SUMMARY OF MOMENTUM ... C-1\n\n\nAPPENDIX D - GISRA ASSESSMENT SUMMARY OF SYSTEM FOR\n    PROGRAMS, AGREEMENTS AND NATIONAL PARTICIPANTS .. D-1\n\n\nAPPENDIX E - SUGGESTED RESPONSES TO OMB\n    MEMORANDUM M-0 1-24 ....................................:..................... E- 1\n\x0c            2001 M Street, N W.\n            Washmgton, D.C. 20036\n\n\n\n\nSeptember 26, 2001\n\nInspector General\nCorporation for National and Community Service\nWashington, DC 20525\n\nAt your request, KPMG LLP (KPMG) performed an evaluation of the Corporation for\nNational Service\'s compliance with the Government Information Security Reform Act\n(GISRA) and the implementing guidance issued by the Office of Management and\nBudget (OMB) in OMB Memorandums M-01-08 and M-01-24. GISRA focuses on the\nmanagement of each agency\'s information security program, and directs that information\nsecurity vulnerabilities and their remediation be explicitly considered when the agency\nannually considers its budget needs, priorities and allocation of funding. Our evaluation\nused the CIO Council\'s Federal Information Technology Security Assessment\nFramework along with the corollary guidance, Special Publication 800-26, issued by the\nDepartment of Commerce, National Institute of Standards and Technology (NIST), as\nrequired by OMB. The objectives of our evaluation were 1) to assess compliance of the\nCorporation\'s management of its information security program, 2) to assess compliance\nof the Corporation\'s operational and technical implementation of its information security\nprogram, and 3) to test the effectiveness of the Corporation\'s operational and technical\nimplementation of its information security program.\n\nResults in Brief\nIn general we found that the Corporation does a very respectable job of providing\nagency-wide information security. It has a proactive staff, and management who\nunderstand the importance of information security to the conduct of the Corporation\'s\nbusiness. It is strongest in its day to day operation and maintenance of the information\nsecurity infrastructure and in its personnel security awareness and training program.\n\nThe areas that need improvement (listed below) tend to be those that that stem from new\nGISRA requirements:\n\n   There should be strengthened involvement of program officials in assessing the\n   security risks to their program areas, in understanding the possible business impacts\n   and in evaluating the adequacy of the mitigating security measures that are in place.\n   At present, information security planning principally has an operational focus, and is\n   not forward looking. GISRA requires that security planning be formally integrated\n   with overall information technology and business strategies and with resource\n   allocation processes.\n\x0cOffice of Inspector General\nCorporation for National Service\nPage 2\n\n   GISRA places a premium on documentation of information security policies and\n   procedures, as well as, actual performance of the procedures. Two areas specifically\n   need improvement in the degree of documentation:\n\n   o System development life cycle (SDLC) processes, and\n   o Routine, periodic review of information security controls and audit logs to assure\n     that the reviews are actually being accomplished.\n\nProject Objectives\n\nThe objectives of this project were to conduct an independent evaluation of the\nCorporation\'s information security program and practices, to test the effectiveness of the\nCorporation\'s security control techniques, and to ascertain the Corporation\'s degree of\ncompliance with the Government Information Security Reform Act and implementing\nguidance from OMB.\n\nMethodology\n\nOMB Memorandum 01-24 requires the use of the CIO Council\'s "Federal Information\nTechnology Security Assessment Framework" (The Framework). Coupled with the\nNIST "Security Self-Assessment Guide for Information Technology Systems", NIST\nSpecial Publication 800-26 (The NIST Guide), the Framework provides a vehicle for a\nconsistent and effective measurement of the security status for a given asset. The NIST\nGuide provides specific questions that identify the control criteria against which agency\npolicies, procedures and security controls can be compared.\n\nThe Framework is divided into five levels: Level 1 of the Framework reflects that an\nasset has documented security policies. At Level 2, the asset also has documented\nprocedures and controls to implement the policies. Level 3 indicates that procedures and\ncontrols have been implemented. Level 4 shows that the procedures and controls are\ntested and reviewed. At Level 5, the asset has procedures and controls that are fully\nintegrated into a comprehensive life cycle program and into the strategic planning and\nresource allocation processes of the agency.\n\nThe evaluation of the Corporation\'s assets was performed in accordance with the\nFramework in the following four areas:\n\n    Momentum (the Corporation\'s financial management system)\n    SPAN (System for Programs, Agreements and National Service Participants)\n    The Corporation\'s Network\n    Agency-wide policies and procedures that are not specific to an individual system\n\x0cOffice of Inspector General\nCorporation for National Service\nPage 3\n\nThe Web Based Reporting System (WBRS) was not re-evaluated at this time, since it was\nassessed in conjunction with the recent audit of the Corporation\'s Financial Statement for\nFiscal Year 2000.\n\nIn addition to the review of policies, procedures and practices, a Vulnerability and\nPenetration Assessment was performed on the Corporation\'s external and internal\nnetworks. More specifically, we attempted to simulate a number of security penetration\nscenarios. The results of this assessment were generally favorable.\n\nThe results of the evaluations that were done using the Framework\'s methodology are\nsummarized in Appendices A through D. Chart 1 on the next page shows the results for\nall four evaluations. The Framework Levels are shown as column headings with the\nindividual Corporation assets that were evaluated shown diagonally below them. The\nNIST Guide\'s control criteria are shown as row headings. The control criteria fall into\nthree general groupings: Management Controls, Operational Controls and Technical\nControls.\n\nIn the main body of the chart a "Yes" means that the criteria for the specific control\nobjective at the specific Framework Level were met. A "Yes*" means that some\nweaknesses were observed, but the criteria were generally met. A "No" means the\ncriteria were not met in some significant respect. The chart has similar ratings shaded the\nsame tone. The black areas are not relevant.\n\nAppendix E contains suggested responses to the thirteen questions that OMB\nMemorandum 01-24 requested the Inspector Generals to answer. The suggested\nresponses are based on the evaluations that were done, but there is not a direct one for\none correlation.\n\x0c         -\nChart 1 GlSRA Assessments Summary\n                          Level1    Level 2   Level 3   Level 4            Level 5\n\n\n\n\nControl Objectives\n\n\n\n\n                                                                  Page 4\n\x0c  Office of Inspector General\n  Corporation for National Service\n  Page 5\n                                           *****\n\n  This report is intended solely for the information and use of the Office of the Inspector\n  General, the management of the Corporation for National and Community Service, the\n  Office of Management and Budget, and the United States Congress and is not intended to\n  be and should not be used by anyone other than these specified parties.\n\n\n\n\n7Y-\ni/ Felipe   onso\n   partn&f.,KPMG LLP\n\x0cAPPENDIX A\n\x0c                                                                            Appendix A\n\n                                    GENERAL\n                    OFFICEOF INSPECTOR\n                                 AND COMMUNITY\n                      FOR NATIONAL\n             CORPORATION                     SERVICE\n\n                AGENCY-WIDE\n                          POLICIES\n                                 AND PROCEDURES\n                   GlSRA ASSESSMENTSUMMARY\n\n\nThe Corporation for National Service (CNS) maintains both WAN and LAN connections for\nits employees, contractors, and the classrooms of the AmeriCorps"Nationa1 Civilian\nCommunity Corps (NCCC). There are approximately 800 computers on this network. The\nCorporation\'s WAN connects LANs at the Corporation\'s five regional service centers, five\nNCCC campuses, and several state offices with the Corporation\'s headquarters. Regional\nservice centers have local network servers; however, the majority of the Corporation\'s\nnetwork servers are located at Corporation headquarters in Washington, DC. These servers\nalso provide email and Oracle services to the entire WAN. The Corporation has a disaster\nrecovery site in Herndon, VA, to which headquarters is connected via a dedicated T1 line.\n\nMomentum is the Corporation\'s financial management system. It is an Oracle based\nproprietary system developed by AMS. The System for Programs, Agreements, and National\nService Participants (SPAN) is an Oracle based system used to manage the National Service\nTrust and to provide ArneriCorps member information. The Web Based Reporting System\n(WBRS) is a Lotus Notes Domino program developed to help both AmeriCorps programs and\nthe state commissions that transmit Corporation supplied grant funds to many sub-recipients\nin each state, and to provide financial and program information to the Corporation.\nMomentum and WBRS are outsourced and operate at remote data centers. The U.S.\nDepartment of Agriculture, National Finance Center provides payroll processing for the\nCorporation.\n\nThe senior CNS official responsible for agency-wide information technology policies and\nprocedures is the Chief Information Officer, Dave Spevacek.\n\n\n\nCNS does a very respectable job of providing agency-wide information security. It has\nproactive staff and management who understand the need for information security, and give it\npriority. It is strongest in its day to day operation and maintenance of the information security\ninfrastructure and in its personnel security awareness and training program.\n\nThe areas in which it needs improvement tend to be those that are new requirements\nstemming from GISRA. CNS has begun to involve senior program officials in assessing the\ninformation security risks to their program areas and the mitigating security measures that are\nin place. But, the extent of program official involvement is still limited, as is the assessment\nof business risks and impacts.\n\n\n\n                                            Page A - 1\n\x0c                                                                          Appendix A\n gml\nInformation security planning has principally an operational focus, and is not yet forward\nlooking, nor integrated with overall information technology and business strategies.\nDocumented procedures are not yet established for the timely reporting of security incidents\nto the Office of Inspector General and to external authorities, as required by GISRA. The\nCIO acknowledges the requirement to update the reporting guidelines to comply with GISRA\nand is in the process of completing that task. In the interim, the CIO has indicated they will\nreport security incidents to the OIG and appropriate external authorities.\n\nInformality is preferred in many CNS processes, and there is relatively less documentation\nthan there would be in a larger agency. This occurs primarily because of the limited number\nof information technology staff and overall resource constraints. Two areas specifically need\nimprovement in the degree of documentation: 1) system life cycle development processes, and\n2) the routine, periodic reviews of information security controls and audit logs to assure that\nthe reviews are actually being accomplished.\n\nThe methodology used for this GISRA assessment is the CIO Council\'s Federal Information\nSecurity Self-Assessment Framework. The Self-Assessment Framework requires the use of\nthe control criteria found in NIST Special Publication 800-26.\n\nThe following table summarizes the results of the assessment that was done based on the\nabove standards and criteria. The remainder of this report summarizes the key strengths and\nweaknesses for each of the major control objectives. Each weakness is classified into a high,\nmedium and low severity rating. Special weight was given to those areas that are directly\naddressed by the GISRA legislation.\n\n\n\n\n                                           Page A - 2\n\x0c                                                                                                              Appendix A\n\n\n\n\n                            Level 1      Level 2        Level 3            Level 4             Level 5\n       Control            Documented   Documented    Implemented     Tested and Reviewed   Fully Integrated\n       Criteria             Policy     Procedures   Procedures and     Procedures and      Procedures and\n                                                       Controls            Controls            Controls\n OVERALL                     Yes         Yes*            Yes*              Yes*                  No\n\n MANAGEMENT\n 1. Risk Management          Yes          NO             Yes*              Yes                  NO\n 2. Security Controls        Yes          Yes            Yes               Yes                 Yes*\n 3. Life Cycle               Yes          Yes            Yes*               NO                  No\n 4. Authorize                Yes          Yes            Yes               Yes                 Yes\n 5. Security Plan            Yes          Yes            Yes*              Yes*                 No\n\n OPERATIONAL\n 1. Personnel Security      Yes*         Yes*            Yes*              Yes                 Yes*\n 2. Physical Protection     Yes          Yes*            Yes*              Yes*                 NO\n 3. Production uo            n/a          n/a             n/a               n/a                 n/a\n 4. Contingency Plan        Yes          Yes             Yes               Yes*                 No\n 5. HardwareISoftware       Yes.         Yes             Yes               Yes                  NO\n 6. Data Integrity          Yes          Yes             Yes               Yes                 Yes*\n 7. Documentation           Yes          Yes*             NO                NO                  NO\n 8. Training                Yes          Yes             Yes               Yes                 Yes\n 9. Incident Response       Yes*         Yes*            Yes*              Yes*                 NO\n\n TECHNICAL\n I. Authentication   Yes                  Yes            Yes*              Yes                  Yes\n  2. Logical Access  Yes                  Yes            Yes               Yes                  Yes\n  3. Audit Trails    Yes                  Yes            Yes               Yes*                 No\n* some weaknesses observed\n\n                                                    Page A - 3\n\x0c                                                                             Appendix A\n ma\nA.          MANAGEMENT CONTROLS\n\n\n\nI         ~ e v e 1l  Level 2      Level 3                    Level 4            Level 5\n        Documented Documented Implemented                    Tested and      Fully Integrated\n          Policy     Procedures Procedures and               Reviewed        Procedures and\n                                   Controls                Procedures and        Controls\n                                                              Controls\n           Yes            No           Yes*                     Yes                 No\n*       some weaknesses observed\n\nStrengths: In accordance with OMB Circular A- 130, CNS\'s Computer Security policy\nrequires that risk assessments be conducted every three years or when major system changes\noccur. This year, in conjunction with the re-accreditation process, risk analyses were\nconducted for all of CNS\'s mission critical systems and network.\n\nCNS has implemented a new procedure that requires agency program officials to formally\naccept the responsibility for the risks identified to mission critical systems and for the level of\nsecurity provided to mitigate those risks.\n\nWeaknesses: CNS does not have a documented risk assessment procedure or methodology.\nThe CNS policy does not provide guidance for integrating system risk management with\nprogram management. Program officials have not been formally responsible for the levels of\nrisk and mitigation within the systems that support CNS\'s major programs. One of the\nconsequences is that the system risk analyses that were recently done do not address specific\nbusiness impacts. (severity: medium)\n\n             2.    REVIEWOF SECURITY\n                                   CONTROLS\n\n        Level 1    Level 2     Level 3                        Level 4             Level 5\n      Documented Documented Implemented                      Tested and       Fully Integrated\n    1   policy   Procedures Procedures and                   Reviewed         Procedures and\n    1                          Controls                    Procedures and         Controls\n                                                              Controls\n            Yes          Yes            Yes                     Yes                 Yes*\n* some weaknesses observed\nStren~ths:Security controls for CNS\'s mission critical systems are reviewed and tested every\nthree years in conjunction with the re-accreditation process. For 2001, the accreditation was\nlimited to one year as CNS shifts to an annual accreditation program. The CNS Security Plan\ndetails various security controls, the frequency with which they should be reviewed and\nassigns responsibility for their review. CNS\'s computer security policy and procedures, also\nrequire that security incidents be analyzed and remedial actions taken.\n\n\n\n\n                                              Page A - 4\n\x0c                                                                         Appendix A\n Mm\nWeaknesses: A GISRA assessment in accordance with the CIO Council\'s Federal\nInformation Technology Security Assessment Framework was not done as required by OMB.\nCorporation policies have not yet been updated to be in accordance with the GISRA\nrequirement for annual assessments. (severity: low)\n\n\n\n       Level 1    Level 2     Level 3                      Level 4           Level 5\n     Documented Documented Implemented                    Tested and     Fully Integrated\n       Policy   Procedures Procedures and                 Reviewed       Procedures and\n                              Controls                  Procedures and       Controls\n                                                           Controls                         I\n         Yes          Yes           Yes*                      No               No\n     some weaknesses observed\n\nStrengths: CNS has a documented policy and procedures for Life Cycle Management of\nsystems.\n\nWeaknesses: There is very little documentation to show that life cycle procedures are\nfollowed. Management states that the life cycle procedures are followed informally. Periodic\nreview and testing of life cycle procedures is not done, nor required by CNS policies.\n(severity: medium)\n\n          4.    AUTHORIZE\n                        PROCESSING\n                                 (CERTIFICATION\n                                             AND ACCREDITATION)\n\n I     Level 1    Level 2     Level 3                      Level 4           Level 5\n I   Documented Documented Implemented                    Tested and     Fully Integrated\n       Policy   Procedures Procedures and                 Reviewed       Procedures and\n                              Controls                  Procedures and       Controls\n                                                           Controls\n         Yes          Yes            Yes                     Yes               Yes\n\nStrengths: In accordance with CNS policies, all of CNS\'s mission critical application systems\nwere formally re-accredited in June 2001. During the re-accreditation process a security\nevaluation and risk assessment were completed, and a security plan developed for the system.\n\nWeaknesses: None Observed.\n\n\n\n\n                                           Page A - 5\n\x0c                                                                           Appendix A\n\n\n\n\n    Level 1    Level 2     Level 3                           Level 4           Level 5\n  Documented Documented Implemented                         Tested and     Fully Integrated\n    Policy   Procedures Procedures and                      Reviewed       Procedures and\n                           Controls                       Procedures and       Controls\n                                                             Controls\n      Yes            Yes             Yes*                     Yes*               No\n* some weaknesses observed\nStrengths: CNS has a documented security plan that identifies security related activities, the\ntime frame in which they are to be performed and the individuals or groups that are\nresponsible for performing the activities.\n\nWeaknesses: CNS\'s agency-wide security plan details routine operational actions, but is not\nforward looking. It does not describe a strategy for providing security to all of CNS\'s systems\nand network, nor does it address how future deadlines for implementing security requirements\nthat are mandated by current legislation will be met. For instance, it does not describe the\nsteps the Corporation glans to take to comply with the Government Paperwork Elimination\nAct (GPEA). A summary of CNS\'s security plans is not included in the IT strategic plan as\nrequired by GISRA. (severity: medium)\n\n\nB.     OPERATIONAL CONTROLS\n\n\n\n    Level 1    Level 2     Level 3                           Level 4           Level 5\n  Documented Documented Implemented                         Tested and     Fully Integrated\n             Procedures Procedures and                      Reviewed       Procedures and\n                           Controls                       Procedures and       Controls\n                                                             Controls\n      Yes*           Yes*             Yes*                     Yes              Yes*\n* some weaknesses observed\nStrengths: CNS\'s computer security policy is based on the concept of least privilege. Users\nare granted access only to the information they need to perform their job.\n\nCNS requires that an Information System Access request form be approved by management\nprior to an employee being granted access to a CNS Information System.\n\nThe Corporation does not have a written policy regarding personnel screening of its\nemployees. The Human Resources Office reports that it requests a National Agency Check\non certain employees serving in certain selected positions after they are hired.\n\n\n\n\n                                             Page A - 6\n\x0c                                                                          Appendix A\n\nDocumented job descriptions exist for employees of the CNS Office of Information\nTechnology (OIT). Security responsibilities for the CIO and Information Systems Security\nOfficer are also documented in the CNS Network Security Plan.\n\nUsers of CNS information systems are advised of their rights and responsibilities through the\nNetwork logon banner, security awareness training and the CNS Policy "Internet and E-mail\nAccess and Acceptable Use".\n\nWeaknesses: Corporation security procedures for employee and contractor terminations are\nnot documented. Even for unfriendly terminations the procedures are informal and depend on\nparticular individuals being aware of each specific situation. (severity: low)\n\nCNS has a small IT staff. The separation of duties is not specifically documented, and is not\nas much as it would be in a larger organization. But, CNS management feels that there is\nabout as much separation of duties as is practical. (severity: low)\n\n       2.      PHYSICAL\n                      AND ENVIRONMENT\n                                   PROTECTION\n\n     Level 1    Level 2     Level 3                         Level 4           Level 5\n   Documented Documented Implemented                       Tested and     Fully Integrated\n 1   Policy   Procedures Procedures and                    Reviewed       Procedures and\n I                          Controls                     Procedures and       Controls\n I                                                          Controls\n 1     Yes           Yes*            Yes*                    Yes*                No\n* some weaknesses observed\nStrengths: Access to the Corporation\'s Computer Room - Data Center is restricted. No\nemployees are permanently assigned to be in the Data Center, and all visitors to the Data\nCenter are required to sign in, in accordance with the CNS security policy.\n\nAccess to general office space is controlled by electronic access keys. Receptionists control\naccess for those without access keys.\n\nIn the event of a power outage, the Corporation has an Unintermptible Power Supply that will\nallow it time to do an orderly shut down of its systems. Portable fire extinguishers are\navailable in Corporation office spaces, and an automated fire suppression system is installed\nin the building.\n\nWeaknesses: Risk assessments for Corporation facilities to identify threats, vulnerabilities\nand potential business impacts are not required by CNS\'s security policy nor done on a\nperiodic basis. (severity: low) OIG has previously reported weak accountability for the\nelectronic access keys and for the master keys that control access to every floor. There are no\ndocumented requirements or procedures for securing unused keys. (severity: medium)\nReception personnel do not consistently challenge visitors. (severity: low)\n\n\n\n\n                                            Page A - 7\n\x0c                                                                          Appendix A\n\n\n\nI      ~ e v e 1l  Level 2      Level 3                     Level 4           Level 5         1\n     Documented Documented Implemented                     Tested and     Fully Integrated\n       Policy     Procedures Procedures and                Reviewed       Procedures and\n                                Controls                 Procedures and       Controls\n                                                            Controls\n        nla           nla             nla                     nla                nla\n\nStrengths: For systems that CNS operates on its own behalf, users of the system control all\ninput and output. There is no central operations staff at CNS. CNS also has two systems\nwhose operation is out-sourced to other service providers. In these cases too, input and output\nis controlled by the system users.\n\nWeaknesses: None observed.\n\n\n\n     Level 1    Level 2     Level 3                         Level 4            Level 5\n   Documented Documented Implemented                       Tested and      Fully Integrated\n     Policy   Procedures Procedures and                    Reviewed        Procedures and\n I                          Controls                     Procedures and        Controls\n I                                                          Controls\n      Yes          Yes                Yes                     Yes*               No\n* some weaknesses observed\nStrengths: CNS has a documented business continuity plan and a documented disaster\nrecovery plan.\n\nCNS backs up data to tapes on a daily, weekly, and monthly basis. Tapes are rotated offsite\nweekly.\n\nCNS has contracted with SunGard to maintain a disaster recovery site at its Reston, VA\nfacility, and with the Department of Veterans Affairs to maintain workspace in Washington,\nDC should CNS facilities become unavailable.\n\nCNS tested the Disaster Recovery Plan in August 2001\n\nWeaknesses: The business continuity plan has not been tested since 1999. The business\ncontinuity plan is currently under revision and will be finalized based upon the results of the\ndisaster recovery plan testing that has recently been conducted. Business continuity and\ndisaster recovery plans have not been developed for Service Centers or State offices.\n(severity: medium)\n\n\n\n\n                                            Page A - 8\n\x0c                                                                          Appendix A\n ma\nDuring the review of the disaster recovery plan, it was noted that the address of the off-site\ntape storage location was not listed. This information should be included in the disaster\nrecovery plan. (severity: low)\n\n          5.    HARDWARE\n                       AND SYSTEM\n                                SOFTWARE\n                                       MAINTENANCE\n\n        Level 1    Level 2     Level 3                      Level 4           Level 5\n      Documented Documented Implemented                    Tested and     Fully Integrated\n        Policy   Procedures Procedures and                 Reviewed       Procedures and\n                               Controls                  Procedures and       Controls\n                                                            Controls\n         Yes          Yes             Yes                     Yes               No\n\nStrengths: Access to system software is restricted to a limited number of personnel,\ncorresponding to job responsibilities. New system software versions or products and\nmodifications to existing system software receive proper authorization and are supported by a\nchange request document.\n\nWeaknesses: Hardware and system software maintenance controls are not fully integrated\ninto the Corporation\'s overall life cycle planning. The Corporation\'s System Development\nLife Cycle methodology is not applied to the network. (severity: low)\n\n\n\n        ~ e v e 1l  Level 2      Level 3                    Level 4           Level 5\n\n 11   Documented Documented Implemented\n        Policy     Procedures Procedures and\n                                 Controls\n                                                           Tested and\n                                                           Reviewed\n                                                         Procedures and\n                                                                          Fully Integrated\n                                                                          Procedures and\n                                                                              Controls\n 1\n                                                            Controls\n I   Yes           Yes                Yes                     Yes               Yes*\n* some weaknesses observed\nStren~ths: CNS has an agency-wide policy on Safeguarding Sensitive Information and\nDocuments that provides users with guidelines for storage, disposal and handling of sensitive\ninformation and documents. In addition, it has application specific policies, procedures and\ncontrols in place. It also has general personnel security, network access and facility access\ncontrols in place that in combination protect data integrity.\n\nWeaknesses: None observed for systems on the CNS LAN. Issues with W R S were noted in\nthe FY 2000 financial statement audit. (severity: low)\n\n\n\n\n                                            Page A - 9\n\x0c                                                                            Appendix A\n m a\n\n       Level 1    Level 2     Level 3                     Level 4               Level 5\n     Documented Documented Implemented                   Tested and         Fully Integrated\n       Policy   Procedures Procedures and                Reviewed           Procedures and\n                              Controls                 Procedures and           Controls\n                                                          Controls\n        Yes          Yes*              No                   No                     No\n* some weaknesses observed\nStrengths: CNS management states that because it is a relatively small agency, it is able to do\nmuch through the direct involvement of its IT staff and top management, and through frequent\nconversations with and among them; and therefore, there is much less of a need for\ndocumentation than in a larger agency.\n\nWeaknesses: Because of its size and limited resources, CNS documents its processes when it\nis required by external authority, but usually favors informality. This relative lack of\ndocumentation creates a situation in which it is difficult for a manager, auditor or other person\nwho has not been directly involved, to ascertain whether required processes are being done,\ninformally, or not at all. (severity: low)\n\n         8.    SECURITY\n                      AWARENESS,\n                              TRAINING\n                                     AND EDUCATION\n\n       Level 1    Level 2     Level 3                     Level 4               Level 5\n     Documented Documented Implemented                   Tested and         Fully Integrated\n       Policy   Procedures Procedures and                Reviewed           Procedures and\n                              Controls                 Procedures and           Controls\n                                                          Controls                             j\n                                                                                               i\n I\n I      Yes           Yes              Yes                  Yes                    Yes\n\nStrengths: An ongoing, agency-wide security awareness program has been implemented. It\nincludes first-time training for all new employees, contractors, and users, and periodic\nrefresher training thereafter. Technical staff receive annual security training according to job\nresponsibilities and needs. Employees see and agree to the rules of behavior during their\nmandatory annual security awareness training. A daily security reminder is automatically\ndisplayed to employees during their login process.\n\nWeaknesses: None observed.\n\n\n\n\n                                             Page A - 10\n\x0c                                                                           Appendix A\n\n\n\n    Level 1    Level 2     Level 3                       Level 4               Level 5\n  Documented Documented Implemented                     Tested and         Fully Integrated\n    Policy   Procedures Procedures and                  Reviewed           Procedures and\n                           Controls                   Procedures and           Controls\n                                                         Controls\n     Yes*            Yes*            Yes*                 Yes*                    No\n* some weaknesses observed\nStrengths: CNS has documented Incident Response Guidelines that contain internal\nprocedures to be followed if an incident is detected.\n\nWeaknesses: CNS\'s Incident Response Guidelines do not specify under what circumstances\nextemal federal authorities will be notified, nor under what circumstances the CNS Office of\nInspector General will be notified, as required by GISRA. They also do not call for\nnotification to owners of interconnected systems. The procedure for contacting other parties,\nthe points of contact, and the nature of the information to be provided to them is not\ndescribed. The CIO acknowledges the requirement to update their reporting guidelines to\ncomply with GISRA and is in the process of completing that task. In the interim, the CIO has\nindicated they will report security incidents to the OIG and to appropriate extemal authorities.\n(severity: medium)\n\n\nC.     TECHNICAL CONTROLS\n\n       1.                           ~ O NAUTHENTICATION\n               ~ D E N T ~ F ~ C A TAND\n\n    Level 1    Level 2     Level 3                       Level 4                Level 5\n  Documented Documented Implemented                     Tested and          Fully Integrated\n    Policy   Procedures Procedures and                  Reviewed            Procedures and\n                           Controls                   Procedures and            Controls\n                                                         Controls\n     Yes           Yes                Yes*                 Yes                    Yes\n* some weaknesses observed\nStrengths: Access to CNS systems is granted on a need to know basis. Password policy and\nprocedures are clearly documented and provided to all users. All personnel who are given\naccess to the system, including those needing it for a limited duration, must follow the\nstandard procedures before being granted access. Emergency and temporary access is not\nauthorized until the standard access request procedures are followed. CNS authentication\npolicies and procedures are consistent across all systems on the CNS LAN.\n\nWeaknesses: CNS management is aware that some CNS users have weak passwords, and\nmakes periodic efforts to educate users. Automated enforcement of strong passwords has not\nbeen implemented. Additional authentication methods are not used. Analysis of the WBRS\n\n                                            Page A - 11\n\x0c                                                                                      Appendix A\n mn\nbeen implemented. Additional authentication methods are not used. Analysis of the WBRS\nresulted in recommendations to improve access and password controls as well as verification\nof data inputs to the system. (severity: medium)\n\n          2.       LOGICAL\n                         ACCESSCONTROLS\n\n      Level 1    Level 2     Level 3                            Level 4                  Level 5\n    Documented Documented Implemented                          Tested and            Fully Integrated\n      Policy   Procedures Procedures and                       Reviewed              Procedures and\n                             Controls                        Procedures and              Controls\n                                                                Controls\n         Yes              Yes                Yes                  Yes                       Yes\n\nStrengths: CNS has documented policies and procedures that require access to CNS systems\nto be granted only on a need to know basis. At an application system level, users are required\nto have management approval of their request for system access. CNS access control policies\nand procedures are consistent across all systems on the CNS LAN.\n\nWeaknesses: None observed for systems on the CNS LAN. During the OIG\'s audit of the\nCorporation\'s Financial Statement for Fiscal Year 20001, analysis of the WBRS identified\nweaknesses in access and password controls and in the verification of data inputs to the\nsystem. The report noted that WBRS password entry attempts are not limited to three\nattempts. Multiple failed attempts do not trigger a freezing of the account to defend the\nsystem against unauthorized access. There is no enforcement of the suggestion that\npasswords should be at least six characters long. The WBRS does not automatically log off\nafter a period of thirty minutes of inactivity. Additionally, the report recommended routine\nreview of WBRS error listings by an individual other than the person inputting data into the\nsystem and spot checks of underlying support for the data submitted via WBRS on a periodic\nbasis. (severity: medium)\n\n\n\n       Level 1    Level 2     Level 3                               Level 4               Level 5\n     Documented Documented Implemented                             Tested and         Fully Integrated\n       Policy   Procedures Procedures and                          Reviewed           Procedures and\n                              Controls                           Procedures and           Controls\n                                                                    Controls\n 1      Yes           Yes                    Yes                     Yes*                    No            1\n*    some weaknesses observed\n\nStrengths: The Network Computer Security Plan provides agency-wide, but specific guidance\non the review of a variety of audit logs that are generated by the major CNS application\nsystems, servers and network devices.\n\n     OIG Audit Report Number 01-01, Audit of the Corporation for National and Community Service\'s Fiscal Year\n    2000 Financial Statements, and OIG Audit Report Number 01-02, Recommended Improvements to the\n    Corporation\'s Internal Controls Fiscal Year 2000 - Management Letter.\n\n                                                   Page A - 12\n\x0c                                                                       Appendix A\n mm\nWeaknesses: There is only verbal confirmation that the audit logs are regularly reviewed or\notherwise analyzed. (severity: low) Audit trail controls are not fully integrated into the\nCorporation\'s overall life cycle planning. (severity: low).\n\n\n\n\n                                         Page A - 13\n\x0cAPPENDIX B\n\x0c                                                                         Appendix B\n\n                   OFFICEOF INSPECTOR\n                                    GENERAL\n            CORPORATION\n                      FOR NATIONAL\n                                 AND COMMUNITY\n                                             SERVICE\n\n                     LOCALAND WIDEAREANETWORKS\n                           GlSRA ASSESSMENT\n                                         SUMMARY\n\n\nThe Corporation for National Service (CNS) Network consists of a local area network (LAN)\nin the headquarters office, with high speed Frame Relay network provided by MCI for remote\nRegional Service Centers, State Offices, National Civilian Community Corps (NCCC)\ncampuses, and two remote processing sites. Web servers reside on the public side of the\nCorporation Network outside the headquarters firewall, and are provided by UUNET. A\nsingle high speed Internet connection through the firewall is provided for all Corporation\nusers. Some dial-in service is provided for remote offices through a server-controlled modem\npool.\n\nMr. Tom Hanley, Deputy CIO, is the designated program official for the Corporation\nNetwork, and is responsible for overall network security. The Office of Information\nTechnology (OIT) provides all administrative and problem support for IT equipment installed\nin remote offices. OIT monitors network vulnerabilities, maintains an intrusion detection\ncapability on the network, and periodically performs its own penetration testing.\n\n\n\nThe CNS Corporation Network is generally well-protected through a combination of sound\nsecurity practices and continuing management attention.\n\nSecurity policies relating to the Corporation Network are for the most part comprehensive and\nwell documented, but some have not yet been updated to reflect GISRA requirements. These\ninclude the requirement for annual GISRA assessments; required reporting, when security\nincidents occur, to the Inspector General and external authorities, such as FEDCIRC; and\nintegration of information security into the agency\'s strategic IT plan and overall agency\nresource prioritization processes.\n\nInformation security plans are in place, but are almost totally operational in nature. More\nstrategic, forward looking elements should be incorporated in them that address such topics as\nthe Corporation\'s plans for compliance with the Government Paperwork Elimination Act\n(GPEA) and GISRA, including the resources that will be required. Business Continuity Plans\nare not current and do not include CNS entities outside the Washington headquarters. They\nshould be updated.\n\nProcedures implementing network security policies are not as well documented as are the\npolicies, but are generally effective. Areas that need strengthening include procedures for\n\n\n\n\n                                          Page B - 1\n\x0cconducting risk assessments that incorporate business impact analysis and procedures for\napplying a System Development Life Cycle methodology to the network;\n\nSecurity controls for the Corporation Network are generally effective. One area that needs\nimprovement is the documentation of the results and review of audit logs and other security\nmeasures to assure actual performance of reviews. Another area is authentication. CNS\nmanagement acknowledges that some CNS users have weak passwords, and makes periodic\nefforts to educate users. Automated enforcement of strong passwords has not been\nimplemented, nor have additional methods of authentication been used.\n\nThe methodology used for this GISRA assessment is the CIO Council\'s Federal Information\nSecurity Self-Assessment Framework. The Self-Assessment Framework requires the use of\nthe control criteria found in NIST Special Publication 800-26.\n\nThe following table summarizes the results of the assessment that was done based on the\nabove standards and criteria. The remainder of this report summarizes the key strengths and\nweaknesses for each of the major control objectives. Each weakness is classified into a high,\nmedium and low severity rating. Special weight was given to those areas that are directly\naddressed by the GISRA legislation.\n\nOne aspect of the ratings deserves mention. The criteria for meeting the Level 5 requirements\nof the Framework is integration of information security plans into the agency\'s strategic\nplans, and integration of the operational and technical controls into a life cycle methodology.\nLack of these two elements causes all Level 5 ratings for the network to be negative. But, this\nshould not overshadow the fact that CNS\'s information security practices are generally\neffective.\n\n\n\n\n                                           Page B - 2\n\x0c\x0c                                                                           Appendix B\n Mfl8\nA.      MANAGEMENT CONTROLS\n\n\n\n\nF  Policy\n              Level 2     Level 3\n Documented Documented Implemented\n            Procedures Procedures and\n                                                             Level 4\n                                                            Tested and\n                                                            Reviewed\n                                                                               Level 5\n                                                                           Fully Integrated\n                                                                           Procedures and\n                          Controls                        Procedures and       Controls\n                                                             Controls\n             1      No\n* some weaknesses observed\n                                     Yes*                      Yes*               No           I\n\n\n\n\nStrengths: CNS policy requires that network risk assessments be performed in conjunction\nwith Corporation Network re-accreditations at least every three years. The current re-\naccreditation of the network was completed in February 2001, and is limited to a one year\nperiod. A risk analysis was completed as part of the re-accreditation process.\n\nWeaknesses: Although risk assessments are periodically done in conjunction with re-\naccreditation, CNS does not have documented procedures for how to do the risk assessments.\nCNS contracts with a commercial vendor to perform this analysis and relies on the\ncontractor\'s methodology and expertise. The risk analysis that was completed for the network\nthis year found the risks overall to be low, but did not include a business impact analysis, nor\nan analysis at the network component level. Network resources are not classified according to\ntheir sensitivity or criticality. OIT has done informal assessments of risk at the network\ncomponent level, and has in place active redundancy, backup equipment, and spare parts for\ncritical elements of the Corporate Network. (severity: low)\n\nA business impact analysis document does not exist, but business impacts were considered as\nthe Disaster Recovery Plan (DRP) was being written. Impacts noted in the DRP are\nexpressed as high, medium and low, and are not expressed in terms of functional impacts.\n(severity: medium)\n\nRisk Management procedures and controls for the network are not fully integrated into the\nCorporation\'s overall life cycle planning. The Corporation\'s System Development Life Cycle\nmethodology is not applied to the network. (severity: low)\n\n\n\n       Level 1    Level 2     Level 3                        Level 4            Level 5\n     Documented Documented Implemented                      Tested and      Fully Integrated\n       Policy   Procedures Procedures and                   Reviewed        Procedures and         1\n                              Controls                    Procedures and        Controls           I\n                                                             Controls\n        Yes           Yes             Yes*                     Yes                No\n* some weaknesses observed\n\n\n                                             Page B - 4\n\x0c                                                                         Appendix B\n mM\nStrengths: CNS policy requires that security control reviews be periodically conducted in\naccordance with OMB Circular A-130. A security controls review was completed in June\n200 1, as part of the re-accreditation process.\n\nOIT regularly conducts its own tests of security controls, and periodically has penetration\ntesting done by independent testers.\n\nAll users must log into the Windows NT network before logging into an application. Twelve\nState Offices, five Service Centers and all NCCC campuses are connected to the Corporation\nNetwork through a Frame Relay network provided by MCI. The other State Offices dial into\na Cisco AS5300 configured as a Point-to-Point Protocol (PPP) server. Dial-in users must pass\nthe AS5300\'s authentication routine of MS-CHAP which is provided by the Cisco Secure\nACS software, and then must log into the NT network. Then the user may log into an\napplication system under the control of an individual security profile.\n\nWeaknesses: A GISRA assessment in accordance with the CIO Council\'s Federal\nInformation Technology Security Assessment Framework was not done as required by OMB.\nIn June 2001, a Security Controls Review was performed by a contractor as part of the\nnetwork re-accreditation process, providing roughly equivalent information in many areas.\n(severity: low)\n\nDuring August 2001, some vulnerabilities were discovered during KPMG\'s independent\npenetration testing done in conjunction with this GISRA assessment. CNS took some\nremedial actions. (severity: low)\n\nNetwork security controls are not fully integrated into the Corporation\'s overall life cycle\nplanning. The Corporation\'s System Development Life Cycle methodology is not applied to\nthe network. (severity: low)\n\n\n\n    Level 1    Level 2     Level 3                         Level 4           Level 5\n  Documented Documented Implemented                       Tested and     Fully Integrated\n    Policy   Procedures Procedures and                    Reviewed       Procedures and\n                           Controls                     Procedures and       Controls\n                                                           Controls\n     Yes           Yes*             Yes*                     No                No\n  some weaknesses observed\n\nStrengths: CNS has a System Development Life Cycle (SDLC) policy and methodology.\nOn-going network security monitoring and pro-active measures, such as required security\ntraining, awareness building, an aggressive virus protection program, access controls, and\nremote site network management, are an indication of day to day management attention to\nsecurity.\n\n\n\n\n                                           Page B - 5\n\x0c                                                                         Appendix B\n\nWeaknesses: CNS has a System Development Life Cycle (SDLC) policy and methodology,\nbut it has not been formally applied to the Corporation Network. Management stated that the\nCNS SDLC is applied informally in their normal planning, acquisition, testing and\nimplementation processes for new network equipment and systems. (severity: low)\n\n         4.    AUTHORIZE\n                       PROCESSING\n                                (CERTIFICATION\n                                             AND ACCREDITATION)\n\n\n I     Level 1    Level 2     Level 3                      Level 4           Level 5\n     Documented Documented Implemented                    Tested and     Fully Integrated\n       Policy   Procedures Procedures and                 Reviewed       Procedures and\n                              Controls                  Procedures and       Controls\n                                                           Controls\n        Yes          Yes             Yes                     Yes               No\n\nStrengths: CNS policy requires re-accreditation of the Corporation\'s network every three\nyears, in accordance with OMB Circular A-130. Re-accreditation of the network was\ncompleted in June 2001, for a one year period.\n\nWeaknesses: Processing authorization is not fully integrated into the Corporation\'s overall\nlife cycle planning. The Corporation\'s System Development Life Cycle methodology is not\napplied to the network. (severity: low)\n\n\n\n       Level 1    Level 2     Level 3                      Level 4           Level 5\n     Documented Documented Implemented                    Tested and     Fully Integrated\n       Policy   Procedures Procedures and                 Reviewed       Procedures and\n I\n 1                            Controls                  Procedures and       Controls\n                                                                                            I\n                                                           Controls\n        Yes          Yes             Yes                     Yes               No\n\nStren~ths: CNS policy requires that each critical system have a system security plan. CNS\nhas such a plan for the CNS network. The plan was updated as of June 2001, as part of the re-\naccreditation process.\n\nWeaknesses: The Network Computer Security Plan is not fully integrated into the\nCorporation\'s overall life cycle planning. The Corporation\'s System Development Life Cycle\nmethodology is not applied to the network. (severity: low)\n\nA summary of the Security Plan is not included in the CNS Strategic IT Plan as required by\nGISRA. (severity: low)\n\n\n\n\n                                           Page B - 6\n\x0c                                                                            Appendix B\nma\nB.      OPERATIONAL CONTROLS\n\n\n\n      Level 1    Level 2     Level 3                         Level 4            Level 5\n    Documented Documented Implemented\n1     Policy    /\n               Procedures Procedures and\n                             Controls\n                                                            Tested and\n                                                            Reviewed\n                                                          Procedures and\n                                                                            Fully Integrated\n                                                                            ~rocedur&and\n                                                                                Controls\n                                                             Controls\n       Yes*          Yes*             Yes*                     Yes                 No\n*   some weaknesses observed\n\nStrengths: Job descriptions within OIT reflect assigned responsibilities, include requirements\nfor technical knowledge, skills and abilities, and can be used for performance evaluations.\n\nNo one is authorized to bypass controls, or get access prior to the completion of the new\nemployee computer security training and supervisory authorization processes.\n\nWeaknesses: Separation of duties is not explicitly mentioned in the Corporation Computer\nand Network Policy. A "least privilege" access policy is implemented through job functions,\nroles, and need-to-know policies. Termination procedures are not formally specified for\nfriendly vs. unfriendly terminations, but OIT is sensitive to potential threats, and takes action\nbased on specific situations. (severity: low)\n\n         2.           AND ENVIRONMENT\n               PHYSICAL            PROTECTION\n\n       Level 1    Level 2     Level 3                        Level 4            Level 5\n     Documented Documented Implemented                      Tested and      Fully Integrated\n       Policy   Procedures Procedures and                   Reviewed        Procedures and\n                              Controls                    Procedures and        Controls\n                                                             Controls\n       Yes           Yes              Yes*                     Yes\n    some weaknesses observed\n\nStrengths: The computer room at CNS headquarters that houses most of the network and\nserver components that comprise the CNS network is a restricted access facility. All access is\nlogged.\n\nThe computer room has an uninterruptible power supply that protects against power\nfluctuations and outages.\n\nAccess to the Corporation\'s offices is controlled by electronic access keys. Receptionists\ncontrol access for those without access keys.\n\nWeaknesses: OIG has previously reported weak accountability for the electronic access keys\nand the master keys that permit access to every floor. (severity: medium) Reception\n\n\n                                             Page B - 7\n\x0c                                                                               Appendix B\n.m\npersonnel do not consistently challenge visitors. (severity: low) A documented physical and\nenvironmental risk assessment to determine the adequacy of the physical controls has not\nbeen done. (severity: low)\n\nPhysical and environmental protection is not fully integrated into the Corporation\'s overall\nlife cycle planning. The Corporation\'s System Development Life Cycle methodology is not\napplied to the network. (severity: low)\n\n        3.     PRODUCTION\n                        INPUTIOUTPUT\n                                   CONTROLS\n\n     Level 1    Level 2     Level 3                          Level 4               Level 5\n   Documented Documented Implemented                        Tested and         Fully Integrated\n 1   Policy   Procedures Procedures and                     Reviewed           Procedures and\n 1                          Controls                      Procedures and           Controls\n                                                             Controls\n I   Yes      I Yes* I                Yes          I           Yes         1         No\n* some weaknesses observed\nStrengths: Formal production input and output controls are in place for remote operations. A\nhelp desk at CNS headquarters provides first level support for questions and technical\nproblems locally and nationally.\n\nWeaknesses: Informal production input and output controls are in place in the CNS\nheadquarters. (severity: low)\n\nProduction input and output controls are not fully integrated into the Corporation\'s overall life\ncycle planning. The Corporation\'s System Development Life Cycle methodology is not\napplied to the network. (severity: low)\n\n\n\n       Level 1    Level 2     Level 3                        Level 4               Level 5\n     Documented Documented Implemented                      Tested and         Fully Integrated\n       Policy   Procedures Procedures and                   Reviewed           Procedures and\n                              Controls                    Procedures and           Controls\n                                                             Controls\n      Yes          Yes*                Yes                    Yes*                   No\n* some weaknesses observed\nStrengths: A Corporate headquarters Disaster Recovery Plan (DRP) and Business Continuityi\nContingency Plan (BCCP) are in place. A draft DRP has been prepared by DOI-NBC for the\nMomentum system that includes telecommunications links. CNS tested the Disaster\nRecovery Plan in August 2001.\n\n\n\n\n                                             Page B - 8\n\x0c                                                                           Appendix B\n \'MM\nAn update of the disaster recovery document is pending, and will be completed now that the\ndisaster recovery test has been done. The Corporation has contracted for 100 seats at\nSunGard.\n\nWeaknesses: The BCCP has not been tested. The Service Centers and State Offices depend\nupon headquarters OIT to restore their IT environment. They do not have documented\nbusiness recovery plans or capabilities for recovery of business functions. The file servers at\nService Centers are backed up to tape weekly on a four-week rotation. Tapes are kept in a\nsafe located in a room adjacent to the server room. A tape is sent quarterly to headquarters for\npermanent archival. (severity: medium)\n\nContingency planning is not fully integrated into the Corporation\'s overall life cycle planning.\nThe Corporation\'s System Development Life Cycle methodology is not applied to the\nnetwork. (severity: low)\n\n        5.     HARDWARE\n                      AND SYSTEM\n                               SOFTWARE\n                                      MAINTENANCE\n\n I   ~ e v e 1l  Level 2      Level 3                        Level 4            Level 5\n / Documented Documented Implemented                        Tested and      Fully Integrated\n j   Policy     Procedures Procedures and                   Reviewed        Procedures and\n I\n\n I                            Controls                    Procedures and        Controls\n                                                             Controls\n        Yes           Yes              Yes                     Yes                No\n\nStrengths: Access to system software is restricted to a limited number of personnel,\ncorresponding to job responsibilities. New system software versions or products and\nmodifications to existing system software receive proper authorization and are supported by a\nchange request document.\n\nWeaknesses: Hardware and system software maintenance controls are not fully integrated\ninto the Corporation\'s overall life cycle planning. The Corporation\'s System Development\nLife Cycle methodology is not applied to the network. (severity: low)\n\n\n\n i     Level 1    Level 2     Level 3                        Level 4            Level 5        I\n     Documented Documented Implemented                      Tested and      Fully Integrated\n       Policy   Procedures Procedures and                   Reviewed        Procedures and\n                              Controls                    Procedures and        Controls\n                                                             Controls\n        Yes           Yes              Yes                     Yes                No\n\nStrengths: Various general controls are in place to protect data integrity. Inappropriate or\nunusual activity is investigated and appropriate actions taken. Technical management\nmonitors the use of privileged system software and utilities. Procedures are in place to\n\n\n\n                                             Page B - 9\n\x0c                                                                            Appendix B\n wa\ndetermine compliance with password policies. Intrusion detection tools are installed on the\nsystem. Internal and external penetration testing is performed as needed.\n\nOIT maintains close ties with CERT, FedCIRC, SANS for virus alerts, keeps current with\nCisco maintenance, and keeps current with virus detection updates from Macafee.\n\nWeaknesses: Data integrity controls are not fully integrated into the Corporation\'s overall life\ncycle planning. The Corporation\'s System Development Life Cycle methodology is not\napplied to the network. (severity: low)\n\n\n\n       Level 1    Level 2     Level 3                     Level 4               Level 5\n     Documented Documented Implemented                   Tested and         Fully Integrated\n       Policy   Procedures Procedures and                Reviewed           Procedures and\n                              Controls                 Procedures and           Controls\n                                                          Controls\n        Yes           Yes             Yes                   Yes                   No\n\nStrengths: Network security policies and procedures are documented and current. The\nsecurity plan establishes and documents the security controls.\n\nNetwork diagrams document the network topology. Configuration parameters for routers and\nswitches is documented.\n\nWeaknesses: Documentation controls are not fully integrated into the Corporation\'s overall\nlife cycle planning. The Corporation\'s System Development Life Cycle methodology is not\napplied to the network. (severity: low)\n\n         8.    SECURITY\n                      AWARENESS,\n                              TRAINING\n                                     AND EDUCATION\n\n 1   ~ e v e 1l  Level 2      Level 3                         Level 4           Level 5\n\n 1\n I\n I\n   Documented Documented Implemented\n     Policy     Procedures Procedures and\n                              Controls\n                                                             Tested and\n                                                             Reviewed\n                                                           Procedures and\n                                                                            Fully Integrated\n                                                                            Procedures and\n                                                                                Controls       i\n                                                              Controls\n        Yes           Yes              Yes                      Yes                No\n\nStren~ths:An ongoing security awareness program has been implemented. It includes first-\ntime training for all new employees, contractors, and users, and periodic refresher training\nthereafter. Technical staff receive annual security training according to job responsibilities\nand needs. Employees see and agree to the rules of behavior during their mandatory annual\nsecurity awareness training. A daily security reminder is automatically displayed to\nemployees during their login process.\n\n\n\n\n                                             Page B - 10\n\x0c                                                                          Appendix B\n\nWeaknesses: Security Awareness, Training and Education controls are not fully integrated\ninto the Corporation\'s overall life cycle planning. The Corporation\'s System Development\nLife Cycle methodology is not applied to the network. (severity: low)\n\n\n\n    Level 1    Level 2     Level 3                      Level 4               Level 5\n  Documented Documented Implemented                    Tested and         Fully Integrated\n    Policy   Procedures Procedures and                 Reviewed           Procedures and\n                           Controls                  Procedures and           Controls       1\n                                                        Controls\n     Yes*          Yes*             Yes*                  Yes*                  No\n* some weaknesses observed\nStrengths: The current Incident Response Guidelines document is 27 pages long and highly\ntechnical. A new version of the guidelines is being written to make them easier for users to\nunderstand and follow.\n\nInappropriate or unusual activity is investigated and appropriate actions taken. Intrusion\ndetection tools are installed on the system. Incident response policies and procedures are\ndocumented, implemented and updated as needed.\n\nWeaknesses: CNS\'s Incident Response Guidelines do not address the conditions or\nprocedures for involving the CNS Inspector General (IG) or external federal authorities, as\nrequired by GISRA. However, one incident was recently reported to both the OIG and\nFEDCIRC. Reporting procedures should be developed that describe under what conditions an\nincident should be reported to the IG or to authorities outside of the CNS such FEDCIRC or\nthe FBI. The reporting procedures should describe to whom the incident is to be reported and\nthe information to be provided in the report. (severity: medium)\n\nIncident Response controls are not fully integrated into the Corporation\'s overall life cycle\nplanning. The Corporation\'s System Development Life Cycle methodology is not applied to\nthe network. (severity: low)\n\n\nC.     TECHNICAL CONTROLS\n\n       1.                           ~ O NAUTHENTICATION\n               ~ D E N T ~ F ~ C A TAND\n\n     Level 1    Level 2     Level 3                         Level 4           Level 5\n   Documented Documented Implemented                       Tested and     Fully Integrated\n     Policy   Procedures Procedures and                    Reviewed       Procedures and\n                            Controls                     Procedures and       Controls\n                                                            Controls\n       Yes           Yes             Yes*                     Yes                No\n * some weaknesses observed\n\n\n                                           Page B - 11\n\x0c                                                                           Appendix B\n mm\nStrengths: Password policy and procedures are clearly documented and provided to all users.\nAll personnel who are given access to the system, including those needing it for a limited\nduration, must follow the standard procedures before being granted access. Emergency and\ntemporary access is not authorized until the standard access request procedures are followed.\n\nWeaknesses: CNS management is aware that some CNS users have weak passwords, and\nmakes periodic efforts to educate users. Automated enforcement of strong passwords has not\nbeen implemented. (severity: medium)\n\nIdentification and authentication controls are not fully integrated lnto the Corporation\'s\noverall life cycle planning. The Corporation\'s System Development Life Cycle methodology\nis not applied to the network. (severity: low)\n\n\n\n I\n       Level 1    Level 2     Level 3                    Level 4               Level 5\n     Documented Documented Implemented                  Tested and         Fully Integrated\n                Procedures Procedures and               Reviewed           Procedures and     1\n                              Controls                Procedures and\n                                                         Controls\n                                                                               Controls\n                                                                                              i\n                                                                                              I\n\n        Yes          Yes              Yes                  Yes                      No\n\nStrengths: Logical access controls are in place for the local and remote network.\n\nIn addition to controlling access to the network by user, CNS controls network access by port\nbased on the MAC address of the PC or server.\n\nWeaknesses: Logical access controls are not fully integrated into the Corporation\'s overall\nlife cycle planning. The Corporation\'s System Development Life Cycle methodology is not\napplied to the network. (severity: low)\n\n\n\n     Level 1    Level 2      Level 3                         Level 4           Level 5        1\n   Documented Documented Implemented                        Tested and     Fully Integrated       I\n I   policy  I Procedures ~roceduresand                     Reviewed       Procedures and         1\n                             Controls                     Procedures and       Controls\n                                                             Controls\n        Yes           Yes             Yes                     Yes*                  No\n* some weaknesses observed\nStrengths: The Network Security Plan describes numerous checks that must be made of a\nvariety of security controls, the frequency of the checks and who is responsible for making\nthem. Review of various audit logs is included in the list.\n\n\n\n                                            Page B - 12\n\x0c                                                                            Appendix B\n mm\nAudit trails are produced by network system software, logging administrative and technical\nsupport activities performed by users.\n\nWeaknesses: There is only verbal affirmation from management that the audit logs are\nregularly reviewed or otherwise analyzed. (severity: low)\n\nAudit trail controls are not fully integrated into the Corporation\'s overall life cycle planning.\nThe Corporation\'s System Development Life Cycle methodology is not applied to the\nnetwork. (severity: low)\n\n\n\n\n                                            Page B - 13\n\x0cAPPENDIX C\n\x0c                                                                     Appendix C\n\n\n                   OFFICEOF INSPECTOR\n                                   GENERAL\n            CORPORATION\n                     FOR NATIONAL\n                                AND COMMUNITY\n                                            SERVICE\n\n\n\n\nMomentum is the financial management system for the Corporation for National Service\n(CNS). The Momentum application was implemented in September 1999, and is comprised\nof 10 modules: Accounts Payable, Accounts Receivable, Automated Disbursements, Budget\nExecution, Cost Allocation, General Ledger, General System, Planning, Project Cost\nAccounting and Purchasing. Momentum is accessed through the CNS LAN by up to 150\nusers nationwide.\n\nMomentum was developed by American Management Systems (AMS), who remains\nresponsible for development, maintenance and configuration control of the application.\nMomentum hardware is operated for CNS at the Department of Interior (DOI) National\nBusiness Center (NBC) in Reston, Virginia. CNS has a Memorandum of Agreement with the\nNBC. NBC in turn has a contract with AMS for maintenance of the Momentum software.\nThe Momentum system is connected to the CNS LAN by a dedicated T-1 line.\n\nData in the Momentum application is critical to CNS financial management. Information in\nthe system may be sensitive and is covered under the Privacy Protection Act. The Momentum\nsystem also transmits sensitive but unclassified data.\n\nThe "senior program official" in CNS responsible for Momentum, in accordance with\nGISRA, is Gerry Yetter, Director of Accounting.\n\n\n\nSecurity policies relating to Momentum are generally comprehensive and well documented.\nHowever, policies should be updated to be in accordance with GISRA, and to specifically\naddress the role of the senior program official responsible for Momentum in the assessment of\nrisks, potential business impacts and degree of mitigation achieved through security controls.\n\nProcedures implementing policies are not as well documented as the policies, but for the most\npart are effective. However, the recently conducted Momentum risk assessment did not\nspecifically consider the business impact that would result, if Momentum became unavailable.\nThis gap may result from the absence of CNS specific procedures for conducting risk\nassessments, and in this case relied on the judgment of the firm with whom they contracted\nfor the re-accreditation assessments.\n\nMomentum has three external interfaces: to the USDA National Finance Center, to the\nSPAN/TRUST interface and to the Department of Health and Human Services. Written\n\n\n                                          Page C - 1\n\x0c                                                                     Appendix C\n\nauthorization and a clear delineation of responsibilities for information security is not\nestablished for these external interfaces.\n\nCNS policy requires re-accreditation of systems every three years, and re-accreditation\nincludes a review of system controls. There is no policy for more frequent, on-going security\ncontrols review of Momentum. The re-accreditation done in 2001 was only for a one year\nperiod. CNS plans to repeat the process again during 2002.\n\nThe methodology used for this GISRA assessment is the CIO Council\'s Federal Information\nSecurity Self-Assessment Framework. The Self-Assessment Framework requires the use of\nthe control criteria found in NIST Special Publication 800-26.\n\nThe following table summarizes the results of the assessment that was done based on the\nabove standards and criteria. The remainder of this report summarizes the key strengths and\nweaknesses for each of the major control objectives. Each weakness is classified lnto a high,\nmedium and low severity rating. Special weight was given to those areas that are directly\naddressed by the GISRA legislation.\n\n\n\n\n                                           Page C - 2\n\x0c                                                                                                                             Appendix C\n\n\n\n\n                            I     Level 1    I     Level 2            Level 3                Level 4                 Level 5\n         Control            I   Documented   I   Documented   I    Implemented     I   Tested and Reviewed   I   Fully Integrated\n         Criteria                 Policy         Procedures       procedures and         Procedures and          ~roceduresand\n                                                                     Controls                Controls                Controls     -\n  OVERALL                          Yes             Yes*               Yes*                   Yes*                      No        -\n                                                                                                                                 -\n  MANAGEMENT                                                                                                                     -\n  1. Risk Management               Yes             NO                 Yes*                   Yes                      NO         -\n  2. Security Controls             Yes             Yes                Yes                    Yes*                    Yes*\n  3. Life Cycle                    Yes             Yes                Yes*                    NO                      NO         -\n  4. Authorize Processing          Yes             Yes                Yes*                   Yes                     Yes*        -\n 5. Security Plan                  Yes             Yes                Yes                    Yes                      NO\n\n  OPERATIONAL\n  I. Personnel Security           Yes*             Yes*               Yes*                   Yes                     Yes*\n 2. Physical Protection           Yes              Yes                Yes                    Yes*                    Yes*\n 3. Production vo                 Yes              Yes                Yes                    Yes                     Yes\n 4. Contingency Plan              Yes              Yes                Yes                    Yes*                     NO\n 5. HardwareISoftware             Yes              Yes                Yes                    Yes                     Yes\n 6. Data Integrity                Yes              Yes                Yes                    Yes                     Yes\n 7. Documentation                 Yes              Yes                Yes                    Yes                     Yes\n 8. Securitv Training             Yes              Yes*               Yes                    Yes                     Yes\n 9. Incident Response             Yes*             Yes*               Yes*                   Yes*                     NO\n              -                                                                                      -   --       -         -\n                                                                                                                            -\n\n\n TECHNICAL\n 1. Authentication     Yes                         Yes                Yes*                   Yes                      Yes\n 2. Logical Access     Yes                         Yes                Yes                    Yes                      Yes\n  3. Audit Trails      NO                          Yes                Yes*                   Yes*                     NO\n* some weaknesses observed\n\n                                                              Page C - 3\n\x0c                                                                          Appendix C\n\n\nA.       MANAGEMENT CONTROLS\n\n\n\n       Level 1    Level 2     Level 3                       Level 4              Level 5\n     Documented Documented Implemented                     Tested and        Fully Integrated\n       Policy   Procedures Procedures and                  Reviewed          Procedures and\n                              Controls                   Procedures and          Controls\n                                                            Controls\n     Yes            No               Yes*                     Yes                  No\n* some weaknesses observed\nStrengths: Risk assessments have been conducted for Momentum as part of the recent re-\naccreditation of the system, and in accordance with the CNS Computer Security policy.\n\nWeaknesses: There are no documented agency-wide procedures specifying how risk\nassessments should be done, and, no documented procedures for evaluating business risk. In\nthe most recent risk analysis Momentum outage impacts are only expressed as high, medium,\nand low. There has been no evaluation of the business impact that would result if Momentum\nfunctionality is lost. (severity: medium)\n\nIn accordance with GISRA requirements, CNS has recently instituted a procedure to have the\nappropriate senior program official formally accept responsibility for the levels of risk and\nmitigation within the systems that support mission critical programs. This has been done for\nMomentum. Policies, procedures, position descriptions, and other related documents should\nbe updated to incorporate the GISRA requirements. (severity: low)\n\nCNS policies require risk assessments to be performed at least every three years or as changes\nare implemented in the application system. GISRA requires a review annually, as opposed to\nevery three years, as was previously required. Beginning in 2001, CNS is transitioning to\nannual assessments. (severity: low)\n\n\n\n       Level 1    Level 2     Level 3                       Level 4              Level 5\n     Documented Documented Implemented                     Tested and        Fully Integrated\n       Policy   Procedures Procedures and                  Reviewed          Procedures and\n                              Controls                   Procedures and          Controls\n I                                                          Controls                            I\n I      Yes          Yes              Yes                    Yes*                 Yes*\n* some weaknesses observed\nStrengths: Security controls for CNS\'s mission critical systems have been reviewed every\nthree years in accordance with OMB A-130 re-accreditation requirements. A re-accreditation\nsecurity review was done for Momentum in 2001.\n\n\n\n                                            Page C - 4\n\x0c                                                                          Appendix C\n\nWeaknesses: CNS\'s Network and Computer Security policy states that "The Corporation\nconducts an independent audit or review on all major application or general support systems\nevery three years to verify the levels of protection are adequate and appropriate." CNS\nNetwork Computer Security Plan does not state the fkequency of security controls reviews.\nGISRA requires a review annually, as opposed to every three years, as was previously\nrequired. A GISRA assessment, in accordance with OMB Memorandum M-01-08, using the\nCIO Council\'s Federal Information Technology Security Assessment Framework was not\ndone. (severity: medium)\n\n\n\n\n F\n 1\n                  Level 2     Level 3\n     Documented Documented Implemented\n       Policy   Procedures Procedures and\n                                                            Level 4\n                                                           Tested and\n                                                           Reviewed\n                                                                                 Level 5\n                                                                             Fully Integrated\n                                                                             Procedures and\n 1                            Controls                   Procedures and          Controls\n L\n i Yes           I\n                      Yes            Yes*\n                                                            Controls\n                                                               No                  No\n*    some weaknesses observed\n\nStrengths:\n      -    CNS has a systems development life cycle policy and methodology, and maintains\ndocumentation related to the Momentum application. A systems security plan for Momentum\nwas developed during the accreditation process. CNS\'s Momentum application is in the\noperational phase of the system development life cycle. Operational security responsibilities\nfor the Momentum system are divided between CNS staff and the National Business Center\n(NBC) staff. The application software was developed by AMS. NBC maintains a contract\nwith AMS for system maintenance, and itself provides software configuration tracking of\nchanges and enhancements per its Memorandum of Agreement with CNS.\n\nWeaknesses: There is very little documentation to substantiate that a System Development\nLife Cycle (SDLC) process continues to be followed for Momentum.\n\n          4.     AUTHORIZE\n                         PROCESSING\n                                  (CERTIFICATION\n                                              AND ACCREDITATION)\n\n                       Level 2     Level 3                  Level 4              Level 5\n                     Documented Implemented                Tested and        Fully Integrated\n        Policy       Procedures Procedures and             Reviewed          Procedures and\n                                   Controls              Procedures and          Controls\n                                                            Controls\n         Yes            Yes          Yes*                     Yes                 Yes*          I\n* some weaknesses observed\nStrengths: CNS has in place a computer security policy and plan that require applications to\nbe re-accredited every 3 years. CNS\'s mission critical application systems, including\nMomentum, were officially re-accredited in June 2001. During this process a security\n\n\n\n\n                                            Page C - 5\n\x0c                                                                          Appendix C\n\n\nevaluation, risk assessment and penetration testing were completed. Accreditation reports are\ndeveloped and maintained as required.\n\nWeaknesses: Momentum has three external interfaces: to the USDA National Finance Center,\nSPANITrust and the Department of Health and Human Services. Written authorization and a\nclear delineation of responsibilities for information security do not exist for these external\ninterfaces. (severity: medium)\n\n\n\n I   Level 1 I Level 2       Level 3              1         Level 4        I       Level 5        1\n 1 Documented Documented Implemented                       Tested and          Fully Integrated   1\n j   Policy    Procedures Procedures and                   Reviewed            Procedures and\n                             Controls                    Procedures and            Controls\n\n\n\nStrengths: CNS maintains a system security plan for the Momentum application, in\naccordance with the CNS Computer Security Policy. The security plan was developed in\naccordance with NIST 800-18 guidance.\n\nWeaknesses: A summary of Security Plans is not incorporated in the Corporation\'s\nInformation Management Strategic Plan as required by GISRA. (severity: medium)\n\n\nB.           OPERATIONAL CONTROLS\n\n\n\n           Level 1    Level 2     Level 3                   Level 4                Level 5\n         Documented Documented Implemented                 Tested and          Fully Integrated       ,\n\n     1     Policy   Procedures Procedures and              Reviewed            Procedures and\n     I                            Controls               Procedures and            Controls\n                                                            Controls\n      Yes*         Yes*              Yes*                     Yes                   Yes*\n * some weaknesses observed\nStrengths: Personnel security controls are in place for the Momentum system. Formal\ndocumented processes exist for requesting, issuing and establishing access and privileges\nwithin the Momentum application. CNS maintains computer security policy based on the\nconcept of least privilege, which requires that users only have access to that information that\nthey require to perform their job function. User rights are reviewed quarterly for\nappropriateness.\n\n\n\n\n                                            Page C - 6\n\x0c                                                                               Appendix C\n\n\nWeaknesses: CNS does not perform extensive background checks on its employees. The\nHuman Resources Office has not issued any written policies on employee screening, but\nreports that it does request a National Agency Check on employees serving in certain select\npositions after they are hired. This requirement does not apply to all personnel. Additionally,\nCorporation termination procedures are not formally documented. Procedures should be\ndocumented for both friendly and unfriendly terminations. (severity: medium) Rules of\nBehavior for Momentum have not been set forth and are still under development by the CNS\nFinancial Systems Group. However, partially compensating controls exist. The Information\nSystems Request form requires users to acknowledge password security requirements, non-\ndisclosure of government information, proper use of information, and legal responsibilities.\n(severity: low)\n\n             2.     PHYSICAL\n                           AND ENVIRONMENT\n                                        PROTECTION\n\n I         ~ e v e 1l    Level 2        Level 3                  Level 4                Level 5\n 1       Documented ( Documented ( Implemented (                Tested and      1   Fully Integrated   1\n 1         Policy     I Procedures 1 Procedures and 1           Reviewed        I   Procedures and     1\n I                    I            I Controls I               Procedures and    I       Controls       1\n I                                                               Controls                              i\n I    Yes          Yes                    Yes                     Yes*                   Yes*\n* some weaknesses observed\nStrengths: Physical and environmental controls have been implemented for the Momentum\napplication by the DO1 National Business Center.\n\nWeaknesses: The Service Level Agreement with the National Business Center does not\naddress the facilities or environmental protection that is to be provided. GAO recently\nidentified weak computer security controls at the National Business Center in GAO-01-6 15,\n"Interior Information Security: Weak Controls Place Interior\'s Financial and Other Data at\nRisk", issued in July 2001. (severity: low)\n\n\n\n     I     ~ e v e 1l  Level 2      Level 3                      Level 4                Level 5\n         Documented Documented Implemented                      Tested and          Fully Integrated\n           Policy     Procedures Procedures and                 Reviewed            Procedures and\n                                    Controls                  Procedures and            Controls\n                                                                 Controls\n             Yes           Yes             Yes                     Yes                    Yes\n\nStrengths: User manuals are available for reference. The Momentum application has built in\nedit checks to ensure that data entered is within a valid character set. Reports generated from\nthe Momentum system by CNS employees have a sensitivity designation. CNS management\nhas stated that 1) the Financial Services group of CNS periodically performs reviews of\ntransactions for budgeting purposes to investigate anomalies; 2) on a monthly basis a review\n\n\n                                                 Page C - 7\n\x0c                                                                          Appendix C\n\nof users requesting transactions is performed to ensure that appropriate personnel are making\nrequests; and 3) a monthly review is also performed to ensure that users obligating funds are\nnot making payments as well.\n\nWeaknesses: Users who have a need to run a report in Momentum are all given the same user\nidentification and password. This practice gives them the, ability to run the Momentum\nreports needed, but it weakens accountability for who is accessing the data in the system.\n(severity: medium)\n\n         4.    CONTINGENCY\n                         PLANNING\n\n     Level 1    Level 2     Level 3                         Level 4              Level 5\n   Documented Documented Implemented                       Tested and        Fully Integrated\n     Policy   Procedures Procedures and                    Reviewed          Procedures and\n I                          Controls                     Procedures and          Controls\n                                                            Controls\n         Yes         Yes             Yes                     Yes*                  No\n* some weaknesses observed\nStrengths: CNS maintains an agency wide Continuity of Operations Plan. The Department of\nthe Interior National Business Center has continuity and disaster recovery procedures that\nwould move the Momentum application to an alternate processing site in Denver, in the event\nof a disaster. CNS tested its disaster recovery plan in August 2001.\n\nWeaknesses: The disaster recovery testing did not include business continuity plan testing.\n(severity: medium) The Department of the Interior National Business Center Momentum\nDisaster Recovery and Backup Plan is currently only in draft. (severity: medium)\n\n          5.    HARDWARE\n                       AND SYSTEM\n                                SOFTWARE\n                                       MAINTENANCE\n\n        Level 1    Level 2     Level 3                      Level 4              Level 5\n      Documented Documented Implemented                    Tested and        Fully Integrated\n\n !!              Procedures Procedures and\n                               Controls\n                                                           Reviewed\n                                                         Procedures and\n                                                            Controls\n                                                                             Procedures and\n                                                                                 Controls\n\n         Yes          Yes             Yes                     Yes                  Yes\n\nStrengths: Hardware and software maintenance and development controls are in place for the\nMomentum system. CNS follows a systems development lifecycle methodology. The\napplication is currently in the operational phase and is operated by the Department of the\nInterior National Business Center (NBC). The Service Level Agreement with the NBC calls\nfor the NBC to provide monitoring, maintenance and tracking of configuration changes for\nthe hardware, system software, database software and telecommunications.\n\nWeaknesses: None observed.\n\n\n\n                                            Page C - 8\n\x0c                                                                          Appendix C\n\n\n\n\n    Level 1    Level 2     Level 3                          Level 4              Level 5\n  Documented Documented Implemented                        Tested and        Fully Integrated\n                                                                                       -\n    Policy   Procedures procedures and                     Reviewed          Procedures and\n                           Controls                      Procedures and          Controls\n                                                            Controls\n      Yes            Yes             Yes                      Yes                  Yes\n\nStrengths: Corporation management states that the Financial Services group periodically\nperforms reviews of transactions for budgeting purposes to investigate anomalies.\nSpecifically, on a monthly basis a review of users requesting transactions is performed to\nensure that appropriate personnel are making requests. And also, a monthly review is\nperformed to ensure that users obligating funds are not making payments as well. A user\nsupport help desk and training are available to assist users who experience problems with the\nMomentum application.\n\nWeaknesses: None observed.\n\n\n\n     Level 1    Level 2     Level 3                         Level 4              Level 5\n   Documented Documented Implemented                       Tested and        Fully Integrated\n i\n     Policy     I\n              Procedures procedures and                    Reviewed          ~rocedur&and       I\n                            Controls                     Procedures and\n                                                            Controls\n                                                                                 Controls\n                                                                                                I\n      Yes            Yes             Yes                      Yes                  Yes\n\nStrengths: Documentation controls are in place for the Momentum system. AMS developed\nthe Momentum application and provided user, administration and training manuals and guides\nto CNS. CNS management has stated that a Disaster Recovery Plan for the Momentum\napplication hosted at the National Business Center is in draft.\n\nWeaknesses: None observed.\n\n       8.      SECURITY\n                      AWARENESS,\n                              TRAINING\n                                     AND EDUCATION\n\n     Level 1    Level 2     Level 3                         Level 4              Level 5\n   Documented Documented Implemented                       Tested and        Fully Integrated\n     Policy   Procedures Procedures and                    Reviewed          Procedures and\n I                          Controls                     Procedures and          Controls\n                                                            Controls\n       Yes           Yes*             Yes                     Yes                  Yes\n* some weaknesses observed\n\n\n                                            Page C - 9\n\x0c                                                                        Appendix C\n\nStrengths: Adequate security awareness and training programs are in place for the\nMomentum system. Corporation employees and contractors are required to complete annual\nsecurity awareness training. Training requires all CNS IT users to acknowledge rules and\nguidelines by which they must abide. Momentum specific training is provided on an as\nneeded basis to Momentum users. An electronic version of the Momentum documentation is\navailable on the Corporation\'s Intranet site.\n\nWeaknesses: Rules of Behavior for the Momentum application are still under development\nby the CNS Financial Systems Group. (severity: low)\n\n\n\n1     ~ e v e 1l  Level 2      Level 3                    Level 4               Level 5\n    Documented Documented Implemented                    Tested and         Fully Integrated   1\n      Policy     Procedures Procedures and               Reviewed           Procedures and\n                               Controls                Procedures and           Controls\n                                                          Controls\n       Yes*          Yes*             Yes*                 Yes*                    No\n* some weaknesses observed\nStrengths: CNS has documented Computer Incident Response Guidelines which specify\ninternal reporting procedures for detected security incidents.\n\nWeaknesses: CNS\'s Incident Response Guidelines do not address the conditions or\nprocedures for involving the CNS Office of Inspector General (OIG) or external federal\nauthorities, as required by GISRA. Reporting procedures should be developed that describe\nunder what conditions an incident should be reported to the OIG or to authorities outside of\nthe CNS such as FEDCIRC or the FBI. The reporting procedures should describe to whom\nthe incident is to be reported and the information to be provided in the report. The CIO\nacknowledges the requirement to update the reporting guidelines to comply with GISRA and\nis in the process of completing that task. In the interim, the CIO has indicated they will report\nsecurity incidents to the OIG and appropriate external authorities. (severity: medium) CNS\nshould ensure that the National Business Center has procedures to notify the appropriate CNS\nauthorities if an incident is detected relating to the Momentum application, and that such\nnotification is included in the NBC Service Level Agreement. (severity: high)\n\n\n\n\n                                             Page C - 10\n\x0c                                                                      Appendix C\n\n\nC.      TECHNICAL CONTROLS\n\n        1.                         ~ O NAUTHENTICATION\n              ~ D E N T ~ F ~ C A TAND\n\n    Level 1    Level 2     Level 3                      Level 4              Level 5\n  Documented Documented Implemented                    Tested and        Fully Integrated\n    Policy   Procedures Procedures and                 Reviewed          Procedures and\n                           Controls                  Procedures and          Controls\n                                                        Controls\n    Yes           Yes               Yes*                  Yes                  Yes\n some weaknesses observed\n\nStrennths: Identification and authentication controls are in place for the Momentum system.\nAll CNS users are required to identify and authenticate themselves, by providing a valid\nusernarne and password at the network level. CNS users who have been assigned Momentum\nprivileges are then required to provide a separate Momentum user name and password to\nlogin in to the application. Passwords are masked when .the user logs in and users are\nrequired to change their password at a minimum every 90 days. CNS management has stated\nthat lists of current users are generated quarterly (every 90 days) and are provided to\nmanagement to review for appropriateness. Distribution of initial Momentum passwords and\nuser account information is documented and the process is adequately controlled.\n\nWeaknesses: CNS management acknowledges that some CNS users have weak passwords\nand makes periodic efforts to educate users. Automated enforcement of strong passwords has\nnot been implemented. Additional authentication methods are not used. CNS has\nundocumented procedures for OIT to issue and reissue passwords. (severity: medium)\n\n\n\n       Level 1    Level 2     Level 3                   Level 4              Level 5\n     Documented Documented Implemented                 Tested and        Fully Integrated\n       Policy   Procedures Procedures and              Reviewed          Procedures and\n                              Controls               Procedures and          Controls\n                                                        Controls\n        Yes          Yes             Yes                  Yes                  Yes\n\nStrengths: Logical access controls are in place for the Momentum system. CNS users are\nrequired to login to the CNS network before they are able to access the Momentum\napplication. Users are required to use a separate login for the Momentum application. User\naccounts are reviewed quarterly to ensure that only authorized employees have accounts.\nUpon login to the CNS network a login banner is displayed. No separate login banner is\ndisplayed when users login to the Momentum application.\n\nWeaknesses: None observed.\n\n\n\n\n                                           Page C - 11\n\x0c                                                                      Appendix C\n\n\n\n\n    Level 1    Level 2     Level 3                      Level 4              Level 5\n  Documented Documented Implemented                    Tested and        Fully Integrated\n    Policy   Procedures Procedures and                 Reviewed          Procedures and\n                           Controls                  Procedures and          Controls\n                                                        Controls\n      No           Yes              Yes*                 Yes*                  No\n* some weaknesses observed\nStrengths: A transaction journal logs every transaction that is processed. According to CNS\nmanagement, periodic tests and reviews of the data are performed by the Financial Services\ngroup. Monthly tests are performed to verify that users requesting transactions are not\nobligating funds and that users obligating funds are not making payments. An additional\nmonthly review is performed of the budgets for all transactions processed by Momentum. A\nquarterly review is performed to verify that access rights are appropriate. User manuals and\ntraining are provided that specify how to complete these functions within Momentum, and\nhow to review the transaction logs.\n\nWeaknesses: There is no policy that requires that the procedures and tests listed above be\nperformed regularly. For instance, there is no policy that the "Security Access Violation\nQuery" and "Override Error Log Query" reports be generated and reviewed regularly.\n\n\n\n\n                                           Page C - 12\n\x0cAPPENDIX D\n\x0c                                                                         Appendix D\n\n\n\n\n                   OFFICEOF INSPECTOR\n                                    GENERAL\n                     FOR NATIONAL\n            CORPORATION          AND COMMUNITY\n                                             SERVICE\n\n                SYSTEMFOR PROGRAMS,AGREEMENTS\n             AND NATIONALSERVICEPARTICIPANTS\n                                           (SPAN)\n                   GlSRA ASSESSMENTSUMMARY\n\n\nThe SPAN application was implemented in 1995 to process education award payments for the\nArneriCorps National Service Program. The VISTA Management System (VMS), integrated\ninto SPAN in March 2001, tracks the status of and makes payments to participants of the\nVolunteers in Service to America (VISTA) program. Three dedicated Windows NT servers\nwithin the Corporation Network provide separate production, development, and testing\nplatforms for SPAN. SPAN is based on an Oracle database management system, and was\ndeveloped using Oracle application development tools, Oracle Forms for data entry screens,\nCrystal Report Writer and Oracle Reports for report generation. SQL SECURE Password\nManager by BrainTree provides authentication and access security to SPAN.\n\nSPAN interfaces with Momentum, WBRS, and the Department of the Treasury. Weekly file\nuploads to Momentum update Corporation accounting data. SPAN uses electronic file\ntransfers to receive enrollment data from WBRS, and to provide updated financial information\nto WBRS. For the Treasury interface, a SPAN export function creates a payment file which is\nelectronically transmitted to Treasury from a stand-alone workstation using Treasury\nsoftware. There is no direct connection between SPAN and Treasury\'s financial management\nsystem.\n\nThe senior Corporation for National Service (CNS) program official responsible for SPAN is\nCharlene Dunn, Director of Trust Management.\n\n\n\nSecurity policies relating to SPAN are generally comprehensive and well documented.\nHowever, in accordance with GISRA, policies should be updated to specifically address the\nrole of the senior program official responsible for SPAN in the assessment of risks, potential\nbusiness impacts and degree of mitigation achieved through security controls.\n\nProcedures implementing policies are not as well documented as the policies, but for the most\npart are effective. For instance, the recently conducted SPAN risk assessment does not\nspecifically consider the business impact that would result, if SPAN became unavailable.\nThis gap may result from the absence of CNS specific procedures for conducting risk\nassessments. CNS contracts with a commercial vendor to perform this analysis and relies on\nits methodology and expertise.\n\n\n                                          Page D - 1\n\x0c                                                                         Appendix D\nqm\nGeneral security controls are the same as for other systems on the CNS network. But SPAN\nspecific security controls are not documented. For instance, there is no documentation of\nprocedures for an on-going process of security controls review specifically for SPAN, and no\ndocumentation of procedures for handling and reviewing SPAN audit logs. Although CNS\nmanagement has stated that the System Development Life Cycle methodology was followed\nduring the recent integration of VMS into SPAN, there is little supporting SDLC\ndocumentation for SPAN.\n\nAs with other systems on the CNS network, CNS management acknowledges that some CNS\nusers have weak passwords and makes periodic efforts to educate users. Automated\nenforcement of strong passwords has not been implemented. Additional authentication\nmethods are not used.\n\nThe methodology used for this GISRA assessment is the CIO Council\'s Federal Information\nSecurity Self-Assessment Framework. The Self-Assessment Framework requires the use of\nthe control criteria found in NIST Special Publication 800-26.\n\nThe following table summarizes the results of the assessment that was done based on the\nabove standards and criteria. The remainder of this report summarizes the key strengths and\nweaknesses for each of the major control objectives. Each weakness is classified into a high,\nmedium and low severity rating. Special weight was given to those areas that are directly\naddressed by the GISRA legislation.\n\n\n\n\n                                          Page D - 2\n\x0c                                                                                                         Appendix D\n\n\n\n\n                            I   Level 1\n         Control            I Documented\n         Criteria               Policy                               Reviewed           Procedures and\n                                                        Controls   Procedures and          Controls\n                            I\n\n  OVERALL                        Yes\n\n  MANAGEMENT                                                                        I\n  1. Risk Management             Yes       NO            Yes*          Yes                   NO\n  2. Security Controls           Yes       Yes           Yes           Yes*                 Yes*\n  3. Life Cycle                  Yes       Yes           Yes*           NO                   NO\n  4. Authorize Processing        Yes       Yes           Yes           Yes                  Yes\n  5. Security Plan               Yes       Yes           Yes           Yes                   NO\n\n  OPERATIONAL\n  I. Personnel Security         Yes*       Yes*          Yes*          Yes                  Yes*\n 2. Physical Protection         Yes        Yes*          Yes*          Yes*                  NO\n 3. Production    vo            Yes        Yes*          Yes*          Yes                  Yes*\n 4. Contingency Plan            Yes        Yes           Yes           Yes*                  NO\n 5. HardwareISoftware           Yes        Yes*          Yes*          Yes*                  NO\n 6. Data Integrity              Yes        Yes*          Yes*          Yes                  Yes*\n 7. Documentation               Yes        Yes*          Yes           Yes                  Yes*\n 8. Security Training           Yes        Yes           Yes           Yes                  Yes\n 9. Incident Response           Yes*       Yes*          Yes*          Yes*                  NO\n\n TECHNICAL\n I. Authentication              Yes        Yes           Yes*          Yes                  Yes\n 2. Logical Access              Yes        Yes           Yes           Yes                  Yes\n 3. Audit Trails                Yes        Yes*          Yes*          Yes*                 NO\n* some weaknesses observed\n                                                  Page D - 3\n\x0c                                                                           Appendix D\n\n\nA.          MANAGEMENT CONTROLS\n\n\n                                                                                              -\n          Level 1    Level 2     Level 3                     Level 4           Level 5\n        Documented Documented Implemented                   Tested and     Fully Integrated\n          Policy   Procedures Procedures and                Reviewed       Procedures and\n                                 Controls                 Procedures and       Controls\n                                                             Controls\n       Yes            No              Yes*                     Yes               No\n*   some weaknesses observed\n\nStrengths: Risk Management policies for SPAN are documented and current. A risk analysis\nwas conducted as part of the SPAN re-accreditation process, and is included as part of the\naccreditation document. The re-accreditation was completed in June 2001, and is effective for\none year.\n\n Weaknesses: There are no documented agency-wide procedures specifying how risk\nassessments should be done, and, no documented procedures for evaluating business risk.\nCNS contracts with a commercial vendor to perform this analysis and relies on its expertise.\nIn the most recent risk analysis SPAN outage impacts are only expressed as high, medium,\nand low. There has been no evaluation of the business impact that results when SPAN\nfunctionality is lost. (severity: medium)\n\nIn accordance with GISRA requirements, CNS has recently instituted a procedure to have the\nappropriate senior program official formally accept responsibility for the levels of risk and\nmitigation within the systems that support mission critical programs. This has been done for\nSPAN. Policies, procedures, position descriptions, and other related documents should be\nupdated to incorporate these GISRA requirements. (severity: low)\n\n\n\n    I     ~ e v e 1l 1 Level 2       Level 3                 Level 4           Level 5\n        Documented Documented Implemented                   Tested and     Fully Integrated\n          Policy       Procedures Procedures and            Reviewed       Procedures and\n                                     Controls             Procedures and       Controls\n                                                             Controls\n            Yes          Yes           Yes                     Yes*              Yes*\n* some weaknesses observed\nStren~ths: CNS policy requires that the security controls for mission critical systems be\nreviewed every three years as part of the re-accreditation process. A recent review of SPAN\nsecurity controls was performed. The report is included in the SPAN Accreditation document\ndated June 2 1,2001, and is effective for one year.\n\n\n\n                                             Page D - 4\n\x0c                                                                          Appendix D\n m\nWeaknesses: A GISRA assessment in accordance with the CIO Council\'s Federal\nInformation Technology Security Assessment Framework was not done. The SPAN Security\nControls Review Report included with the SPAN Accreditation Report does not indicate any\ncontrols testing that may have been conducted during the SPAN accreditation process. In\naddition, there is no evidence that during the recent integration of VMS into SPAN any new\ncontrols have been tested to ensure that the new controls meet security specifications.\n(severity: low)\n\nNo documentation has been identified that demonstrates that an on-going process is in place\nto evaluate the effectiveness of SPAN security controls, or to maintain adequate protections.\n(severity: low)\n\n\n\n    Level 1    Level 2     Level 3                          Level 4           Level 5\n  Documented Documented Implemented                        Tested and     Fully Integrated 1\n    Policy   Procedures Procedures and                     Reviewed       Procedures and 1\n                                                                                           I\n                           Controls                      Procedures and       Controls\n                                                            Controls\n     Yes           Yes               Yes*                     No                No\n* some weaknesses observed\nStren~ths: The SPAN Security Plan states that the CNS System Development Life Cycle\n(SDLC) process was followed for the implementation, development, and\noperation/maintenance phase of the SPAN life cycle. The SPAN Security Plan also states that\nthe IT Security Representative was heavily involved with the recent integration of VMS into\nSPAN. SPAN is now in its operational phase.\n\nWeaknesses: There is little documentation to substantiate that an SDLC process was followed\nduring the recent integration of VMS into SPAN, and also, little documentation of a change\ncontrol process used for applying vendor-provided maintenance updates to Oracle, the\noperating system software, and the security software. Lack of such documentation could\nhinder an investigation of the source of problems, if a security incident were to occur.\n(severity: low)\n\nCNS uses Oracle Designer12000 for application software development and maintenance.\nOracle Designer12000 contains built-in security functions for application-specific privileges\nand roles, provides quality control, and includes reporting capabilities for detailed system\ndesign documentation. This provides some compensating controls.\n\n\n\n\n                                            Page D - 5\n\x0c                                                                        Appendix D\n\n\n        4.    AUTHORIZE\n                      PROCESSING\n                               (CERTIFICATION\n                                            AND ACCREDITATION)\n\n      Level 1    Level 2     Level 3                      Level 4           Level 5\n    Documented Documented Implemented                    Tested and     Fully Integrated\n      Policy   Procedures Procedures and                 Reviewed       Procedures and\n                             Controls                  Procedures and       Controls\nI                                                         Controls\n       Yes          Yes             Yes                     Yes               Yes\n\nStrengths: In accordance with CNS policies, SPAN, was formally re-accredited in June 2001\nfor one year. During the re-accreditation process a security evaluation and risk assessment\nwere completed, and a security plan developed.\n\nWeaknesses: None observed.\n\n\n\n      Level 1    Level 2     Level 3                      Level 4           Level 5\n    Documented Documented Implemented                    Tested and     Fully Integrated\n      Policy   Procedures Procedures and                 Reviewed       Procedures and\n                             Controls                  Procedures and       Controls\n                                                          Controls\n       Yes           Yes            Yes                     Yes               No\n\nStrengths: CNS has developed and implemented a security plan for the SPAN application, in\naccordance with the CNS Computer Security Policy. The plan is included in the SPAN\naccreditation document dated June 21, 2001. The accreditation process included a review of\nprocedures and controls.\n\nWeaknesses: The SPAN Security Plan is not summarized in CNS\'s Information Management\nStrategic Plan, as required by GISRA. (severity: low)\n\nThere is no business case document that defines the resources required for the on-going\nsecurity of the SPAN system. (severity: low)\n\n\n\n\n                                          Page D - 6\n\x0c                                                                          Appendix D\n mm\nB.      OPERATIONAL CONTROLS\n\n        1.    PERSONNEL\n                     SECURITY\n\n      Level 1    Level 2     Level 3                        Level 4           Level 5\n    Documented Documented Implemented                      Tested and     Fully Integrated\n      Policy   Procedures Procedures and                   Reviewed       Procedures and\n                             Controls                    Procedures and       Controls\n                                                            Controls\n     Yes*          Yes*             Yes*                      Yes              Yes*\n* some weaknesses observed\nStrengths: Personnel security controls are in place for the SPAN application system.\nDocumented processes exist for requesting, issuing and establishing access rights and\nprivileges within the SPAN application. CNS management states that established procedures\nand controls are not bypassed to allow emergency access. CNS maintains computer security\npolicy based on the concept of least privilege, which requires that users only have access to\nthat information which they require to complete their job function. CNS personnel security\npolicies and procedures are consistent agency-wide.\n\nWeaknesses: Policies and procedures address accountability, and need-to-know for access to\ninformation and processing, but do not explicitly address separation of duties. CNS does not\nperform extensive background checks on its employees. The Human Resources Office has\nnot issued any written policies on employee screening, but reports that it does request a\nNational Agency Check on employees serving in certain select positions after they are hired.\nThis requirement does not apply to all personnel. Employee termination procedures are not\ndocumented. Termination procedures should be documented and include procedures for both\nfriendly and unfriendly terminations. (severity: low)\n\n         2.    PHYSICAL\n                      AND ENVIRONMENT\n                                   PROTECTION\n\n       Level 1    Level 2     Level 3                       Level 4           Level 5\n     Documented Documented Implemented                     Tested and     Fully Integrated\n       Policy   Procedures Procedures and                  Reviewed       Procedures and\n                              Controls                   Procedures and       Controls\n                                                            Controls\n       Yes           Yes*            Yes*                     Yes*               No\n*   some weaknesses observed\n\nStrengths: The computer room at CNS headquarters where SPAN operates is a restricted\naccess facility. Access to the computer room is logged.\n\nAccess to general office areas are controlled by electronic access keys. Receptionists control\naccess for those without access keys.\n\n\n\n                                            Page D - 7\n\x0c                                                                          Appendix D\n\n\nThe computer room has an unintermptible power supply that will allow time for an orderly\nshutdown of systems, if a power outage occurs.\n\nWeaknesses: Physical controls are in place, but a physical and environmental risk assessment\nhas not been done. Controls may not be aligned with actual threats and vulnerabilities. For\ninstance, plumbing line locations are not documented, so computer equipment and business\nrecords may be vulnerable to water damage. (severity: low)\n\nOIG has previously reported weak accountability for the electronic access keys and for the\nmaster keys that control access to every floor. There are no documented requirements or\nprocedures for securing unused keys. (severity: medium) Reception personnel do not\nconsistently challenge visitors. (severity: low)\n\n\n\n    Level 1    Level 2     Level 3                          Level 4           Level 5\n  Documented Documented Implemented                        Tested and     Fully Integrated\n    Policy   Procedures Procedures and                     Reviewed       Procedures and\n                           Controls                      Procedures and       Controls\n                                                            Controls\n      Yes             Yes*           Yes*                     Yes              Yes*\n* some weaknesses observed\nStrengths: Separate test and development platforms and controls over migrating software into\nthe production environment control unauthorized access to production systems.\n\nThere is no central operations staff for SPAN, except that a help desk at CNS headquarters\nprovides first level support for questions and technical problems locally and nationally.\nSPAN users control the input and output processes.\n\nWeaknesses:       Production input and output controls are informal at CNS headquarters.\n(severity: low)\n\n\n\n\n    Level 1    Level 2     Level 3                          Level 4           Level 5        I\n  Documented Documented Implemented                        Tested and     Fully Integrated   1\n    Policy   Procedures Procedures and                     Reviewed       Procedures and\n                           Controls                      Procedures and       Controls\n                                                            Controls\n      Yes          Yes                Yes                    Yes*               No\n  some weaknesses observed\n\nStrengths: A Corporation headquarters Disaster Recovery Plan (DRP) and Business\nContinuity 1 Contingency Plan (BCCP) are in place.\n\n\n                                            Page D - 8\n\x0c                                                                           Appendix D\n m!?\nWeaknesses: The headquarters DRP was tested in August 2001. The BCCP has not been\ntested. Distribution of the DRP and BCCP is not documented. Employee training in recovery\nroles and responsibilities is not documented. (severity: low)\n\nThe Service Center and State Office that were reviewed depend upon headquarters OIT to\nrestore their IT environment. They do not have documented business recovery plans or\ncapabilities for recovery of business functions. The file server at the Service Center is backed\nup to tape weekly on a four-week rotation. Tapes are kept in a safe located in a room adjacent\nto the server room. A tape is sent quarterly to headquarters for permanent archival. (severity:\nlow)\n\n         5.           AND SYSTEM\n               HARDWARE        SOFTWARE\n                                      MAINTENANCE\n\n 1     ~ e v e 1l  Level 2      Level 3                      Level 4           Level 5        1\n     Documented Documented Implemented                      Tested and     Fully Integrated\n       Policy     Procedures Procedures and                 Reviewed       Procedures and\n                                Controls                  Procedures and       Controls\n                                                             Controls\n        Yes          Yes*             Yes*                    Yes*                No\n* some weaknesses observed\nStrengths: Change control procedures are in place to ensure the integrity and stability of\nproduction hardware and software systems. Separate test and development platforms and\ncontrols over migrating software into the production environment prevent unauthorized access\nto production systems.\n\nAccess to system software is restricted to a limited number of personnel, corresponding to job\nresponsibilities. New system software versions or products and modifications to existing\nsystem software receive proper authorization and are supported by a change request\ndocument.\n\nWeaknesses: An informal impact analysis is conducted to determine the effect of proposed\nchanges on existing security controls, including the required training needed to implement the\ncontrol. (severity: low) There is no documentation showing that system components are\ntested and approved (operating system, utility, applications) prior to promotion to production.\n(severity: low) There is no documentation showing that there are detailed system\nspecifications prepared and reviewed by management. (severity: low) There is no\ndocumentation showing the type of test data to be used, i.e., live or made up. (severity: low)\nThere is no documentation showing that there are software distribution implementation orders\nincluding effective date provided to all locations. (severity: low) There is no documentation\nshowing that the distribution and implementation of new or revised software is documented\nand reviewed. (severity: low) There is no documentation showing that emergency changes\nare documented and approved by management, either prior to the change or after the fact.\n(severity: low) There is no documentation showing that contingency plans and other\nassociated documentation are updated to reflect system changes. (severity: low)\n\n\n\n                                             Page D - 9\n\x0c                                                                          Appendix D\n\n\n\n\n      Level 1    Level 2     Level 3                     Level 4              Level 5\n    Documented Documented Implemented                   Tested and        Fully Integrated\n      Policy   Procedures Procedures and                Reviewed          Procedures and\n                             Controls                 Procedures and          Controls\n                                                         Controls\n       Yes           Yes*            Yes*                  Yes                 Yes*\n*   some weaknesses observed\n\nStren~ths: Data integrity and validation controls are used to provide assurance that the\ninformation has not been altered and the system functions as intended.\n\nSPAN data integrity is maintained through access control procedures. Users are restricted\nbased on need-to-know, and the principle of "least privilege" as determined and authorized by\nthe employee\'s supervisor. Corrections to invalid entries in the database cannot be made\nusing the Oracle Forms interface. Corrections can only be made by a designated SPAN user\nwho is given temporary SQL access, and only after justification for the action is provided and\nthe change is approved by the Director of the National Service TRUST, the Deputy CIO, the\nDBA, and the Information Systems Security Officer.\n\nInappropriate or unusual activity on the SPAN system is investigated and appropriate actions\ntaken.\n\nProcedures are in place to determine compliance with password policies.\n\nPenetration testing is performed on the SPAN system when changes are significant enough to\nwarrant re-testing.\n\nWeaknesses: There is no documentation concerning whether reconciliation routines are used\nfor the SPAN application, i.e., checksums, hash totals, record counts. (severity: low)\n\nThere is no documentation showing that integrity verification programs are used by the SPAN\napplication to look for evidence of data tampering, errors, and omissions. (severity: low)\n\nWBRS provides data that feeds into SPAN. Because access to W R S is controlled by many\norganizations, and is not under CNS direct control, there is a potential for the WBRS data to\nbe corrupted. That could result in unreliable data being passed to SPAN. (severity: low)\n\nThere is no documentation showing that system performance monitoring is used to analyze\nsystem performance logs in real time to look for availability problems, including active\nattacks. (severity: low)\n\n\n\n\n                                            Page D - 10\n\x0c                                                                        Appendix D\n\n\n\n\n       Level 1    Level 2     Level 3                 Level 4               Level 5\n     Documented Documented Implemented               Tested and         Fully Integrated\n       Policy   Procedures Procedures and            Reviewed           Procedures and\n                              Controls             Procedures and           Controls\n                                                      Controls\n        Yes         Yes*             Yes                Yes                   Yes*\n* some weaknesses observed\nStrengths: User documentation for the SPAN application is available on-line. Oracle system\ndocumentation is also maintained on-line. The Oracle Designer12000 tool is used to\ndocument business requirements, visually model the database schema, produce the entity\nrelationship diagram, and create the database schema. Designer12000 is also used to\ndocument the internal processes and configuration of the SPAN application.\n\nWeaknesses: The following types of documentation are lacking:\n  - written agreements regarding how data is shared between interconnected systems\n     (severity: low);\n  -  backup procedures specific to the SPAN application and system software (severity:\n     low); and\n  - software and hardware testing procedures and results (severity: low).\n\n         8.    SECURITY\n                      AWARENESS,\n                              TRAININGAND EDUCATION\n\n       Level 1    Level 2     Level 3                 Level 4                Level 5\n\n 1     Policy   1\n     Documented Documented Implemented\n                Procedures Procedures and\n                              Controls\n                                                     Tested and\n                                                     Reviewed\n                                                   Procedures and\n                                                                         Fully Integrated\n                                                                         Procedures and\n                                                                             Controls\n                                                      Controls\n        Yes          Yes             Yes                Yes                    Yes\n\nStrengths: All Corporation employees and contractors are required to complete annual\nsecurity awareness training. Training requires all CNS IT users to acknowledge rules and\nguidelines by which they must abide. SPAN-specific training is provided for users as needed,\nand a help desk provides additional support for questions and problems. The SPAN\nOperator\'s Guide also emphasizes the user\'s security responsibilities. Information technology\nand security personnel attend conferences and specialized training to further their knowledge\nof security.\n\nWeaknesses: None observed.\n\n\n\n\n                                           PageD- 11\n\x0c                                                                          Appendix D\n\n\n\n\n   Level 1    Level 2     Level 3                       Level 4               Level 5\n Documented Documented Implemented                     Tested,and         Fully Integrated\n   Policy   Procedures Procedures and                  Reviewed           Procedures and\n                          Controls                   Procedures and           Controls\n                                                        Controls\n     Yes*          Yes*             Yes*                 Yes*                   No\n* some weaknesses observed\nStrengths: CNS has documented Computer Incident Response Guidelines which specify\ninternal reporting procedures for detected security incidents.\n\nCNS management states that alerts/advisories are routinely received from multiple external\nsources, and appropriate action taken.\n\nWeaknesses: CNS\'s Incident Response Guidelines do not specify under what circumstances\nextemal federal authorities will be notified, nor under what circumstances the CNS Office of\nInspector General will be notified, as required by GISRA. They also do not address\nnotification to owners of interconnected systems. The procedure for contacting other parties,\nthe points of contact, and the nature of the information to be provided to them is not\ndescribed. The CIO acknowledges the requirement to update the reporting guidelines to\ncomply with GISRA and is in the process of completing that task. In the interim, the CIO has\nindicated they will report security incidents to the OIG and appropriate extemal authorities.\n(severity: medium)\n\nThe following types of documentation are lacking:\n   -   documentation showing that incidents are monitored and tracked until resolved\n       (severity: low); and\n   - documentation showing that personnel are trained to recognize and handle incidents\n       (severity: low).\n\n\nC.     TECHNICAL CONTROLS\n\n       1.                           ~ O NAUTHENTICATION\n               ~ D E N T ~ F ~ C A TAND\n\n    Level 1    Level 2     Level 3                          Level 4           Level 5\n  Documented Documented Implemented                        Tested and     Fully Integrated\n    Policy   Procedures Procedures and                     Reviewed       Procedures and     1\n                           Controls                      Procedures and       Controls\n                                                            Controls\n      Yes            Yes             Yes*                     Yes               Yes\n* some weaknesses observed\n\n\n                                           Page D - 12\n\x0c                                                                          Appendix D\n ma\nStren~ths:All CNS users are required to identify and authenticate themselves, by providing\nvalid username and password at the network level. CNS users who have been assigned SPAN\nprivileges are then required to provide a separate, unique SPAN user name and password to\nlog into the application. Passwords are masked when the user logs in and users are required\nto change their password at a minimum every 90 days. Lists of current users are generated\nquarterly (every 90 days) and are provided to management to review for appropriateness.\nAccounts are disabled after five failed logon attempts. New SPAN accounts are locked if\nthey are not used within 30 days. Existing accounts are locked if passwords are not changed\nafter 90 days. Procedures are in place for handling lost and compromised passwords. All\nactions are logged and correlated with users by the system. CNS authentication procedures\nare consistent agency-wide.\n\nWeaknesses: CNS management acknowledges that some CNS users have weak passwords\nand makes periodic efforts to educate users. Automated enforcement of strong passwords has\nnot been implemented. Additional authentication methods are not used. (severity: medium)\n\n\n\n    Level 1    Level 2             Level 3                 Level 4            Level 5\n  Documented Documented          Implemented              Tested and      Fully Integrated\n    Policy                                                Reviewed        Procedures and\n                                   Controls             Procedures and        Controls\n                                                           Controls\n                                                             Yes                Yes\n\nStrengths: CNS users are required to log into the CNS network before they are able to access\nthe SPAN application. Once logged on, the user is restricted to functions and transactions\nbased on job duties. Oracle is able to restrict access to authorized relations, tables, views,\ndata elements, and operations. Users are prohibited access to the SQL prompt. Access\ncontrol software prevents one individual from having the necessary authority or information\naccess to allow fraudulent activity without collusion.\n\nThere is no direct dial-in to SPAN, and no public access. State offices dial into the\nCorporation Network and must be properly authenticated before gaining access to SPAN.\nSPAN resides inside the Corporation Network firewall and is protected by an intrusion\ndetection system. It is CNS policy not to authorize emergency and temporary access until\nproper procedures are followed. CNS management states that the SPAN access control list is\ninternally encrypted on the SPAN computer system.\n\nCNS authentication procedures are consistent agency-wide.\n\nWeaknesses: WBRS provides data that feeds into SPAN. Because access to WBRS is\ncontrolled by many organizations, and is not under CNS direct control, there is a potential for\nthe WBRS data to be corrupted. That could result in unreliable data being passed to SPAN.\n(severity: low) The following types of documentation are lacking:\n\n\n                                          Page D - 13\n\x0c                                                                           Appendix D\nma\n   -    documentation indicating that terminals automatically log off and screensavers lock\n        the session after a period of inactivity (severity: low); and\n   -    documentation indicating whether access is restricted to files at the record level or\n        field (data element) level (severity: low).\n\n        3.     AUDITTRAILS\n\n    Level 1    Level 2     Level 3                           Level 4           Level 5\n  Documented Documented Implemented                         Tested and     Fully Integrated\n    Policy   Procedures ~roEeduresand                       Reviewed       procedures and\n                           Controls                       Procedures and       Controls\n                                                             Controls\n     Yes           Yes*               Yes*                     Yes*               No\n* some weaknesses observed\nStrengths: Audit trails provided by the network operating systems ensure accountability at the\nnetwork level. SPAN audits all database activity, and the audit reports are reviewed daily.\nAll SPAN activity is recorded in the audit log including date, time, user ID, and description of\nactivity.\n\nWeaknesses: The following types of documentation are lacking:\n\n   -    documentation describing how often SPAN audit trails should be reviewed, and actual\n        frequency of review (severity: low);\n    -   documentation to indicate whether automated tools are used to review SPAN audit\n        records in real time or near real time (severity: low);\n    -   documentation to indicate whether there is separation of duties between security\n        personnel who administer the access control function and those who administer the\n        SPAN audit trail (severity: low); and\n    -   documentation to indicate whether SPAN audit logs stored off-line are retained for a\n        specified period of time, and if so, whether access to audit logs is strictly controlled\n        (severity: low).\n\n\n\n\n                                             P a g e D - 14\n\x0cAPPENDIX E\n\x0c                                                                  Appendix E\n\n\n            OFFICEOF INSPECTOR\n                             GENERAL\n              FOR NATIONAL\n     CORPORATION                      SERVICE\n                          AND COMMUNITY\n\n\n\n\nQuestion 1. Identify the agency\'s total security funding as found in the agency\'s\nFYOl budget request, FYOl budget enacted, and the FY02 budget request.\n\nResponse to Question 1: No OIG response to this question is required since OMB\'s\nguidance indicates it is directly solely to the Corporation for National Service.\n\nQuestion 2. Identify the total number of programs included in the program reviews or\nindependent evaluations.\n\nResponse to Question 2: Self-assessments were done by program managers and the\nCIO of application systems deemed mission critical. In response to GISRA\nrequirements, the OIG during July through September 2001 contracted with KPMG to\nperform evaluations of agency-wide information security policies and procedures and\nalso to conduct independent evaluations of three of the four Corporation systems\n(Momentum Financial Management System, Corporation Network, and the System for\nPrograms, Agreements and National Service Participants (SPAN)). The OIG did not\nre-evaluate the Web Based Reporting System (WBRS) at this time since it was\nassessed in conjunction with the recent audit of the Corporation\'s Financial Statement\nfor Fiscal Year 2000. That audit and the associated Management Letter included\nrecommendations for improvements in access and password controls and verification\nof data inputs to the system. As part of the audit resolution process, the Corporation\nagreed to consider recommended changes to M R S . OIG will again evaluate the\neffectiveness of WBRS controls as part of the audit of the Fiscal Year 2001 Financial\nStatement.\n\nQuestion 3. Describe the methodology used in the program reviews and the\nmethodology used in the independent evaluations.\n\nResponse to Question 3: OIG and KPMG used the CIO Council\'s Federal IT\nSecurity Assessment Framework methodology in conjunction with control criteria\nfrom the NIST draft Special Publication, "Self-Assessment Guide for Information\nTechnology Systems." Control techniques were derived from the related NIST\npublications, especially NIST SP 800-18, "Generally Accepted Principles and\nPractices for Securing Information Technology Systems". The NIST SP 800-18\ncontrol techniques were augmented by FISCAM control techniques.\n\n\n\n\n                                   Page E - 1\n\x0c                                                                           Appendix E\nm a\n  Question 4. Report any material weakness in policies, procedures, or practices as\n  identified and required to be reported under existing law.\n\n  Response to Question 4: No material weaknesses were identified during the CIO\n  assessments or IG evaluations.\n\n\n\n  Question 5. What performance measures are used by the agency to ensure that\n  program officials have:\n         1) assessed the risk to operations and assets under their control;\n         2) determined the level of security appropriate to protect such operations and\n            assets;\n         3) maintained an up-to-date security plan (that is practiced throughout the life\n            cycle) for each system supporting the operations and assets under their\n            control; and\n         4) tested and evaluated security controls and techniques. Include information\n            on the actual performance for each of the four categories.\n\n      Response to Question 5: All of CNS\'s mission critical systems completed a formal\n      re-accreditation process in 2001. The re-accreditation included:\n              1) a risk assessment and determination of the level of security appropriate to\n                  protecting the programs\' operations and assets;\n              2) an up-to-date security plan;\n              3) a security controls review; and\n              3) independent tests and evaluations of the security controls and techniques.\n\n      CNS senior program managers reviewed the results of the re-accreditation process and\n      signed an affidavit for each of the mission critical systems. The affidavit certifies that\n      they understand the risks to the operations and assets under their control, and accept\n      responsibility for the degree of security provided to protect such operations and assets.\n\n      Question 6. The specific measures of performance used by the agency to ensure that\n      the agency CIO:\n             1) adequately maintains an agency-wide security program;\n             2) ensures the effective implementation of the program and evaluates the\n                 performance of major agency components; and\n             3) ensures the training of agency employees with significant security\n                 responsibilities. Include information on the actual performance for each of\n                 the three categories.\n\n\n\n\n                                           Page E - 2\n\x0c                                                                   Appendix E\n\n\nResponse to Question 6:\n      1) The CIO contracted for independent evaluations of all mission critical\n          systems and the corporate network in 2001. The results of the independent\n          evaluations were reviewed and approved by senior program officials. In\n          addition, the IG conducted a separate GISRA evaluation specifically of\n          agency-wide information security policies and procedures.\n      2) The CIO contracted for independent evaluations of all mission critical\n          systems and the corporate network in conjunction with system re-\n          accreditations. The OIG performed separate independent reviews of\n          mission critical systems, the network and agency-wide policies and\n          procedures.\n      3) In addition to the security training that all CNS employees receive,\n          information technology (IT) technical staff receive additional specialized\n          security training according to job responsibilities and needs. They attend\n          technical security training classes and conferences, and subscribe to on-line\n          alert sources to further their knowledge of security and remain current with\n          the rapidly evolving game of cat and mouse that information security has\n          become. In 2001, five IT security specialists have attended eight security\n          training classes and conferences.\n\nQuestions 7. Describe how the agency ensures that employees are sufficiently trained\nin their security responsibilities. Identify the total number of agency employees and\nbriefly describe what types of security training was available during the reporting\nperiod, the number of agency employees that received each type of training, and the\ntotal costs of providing such training.\n\nResponse to Question 7: An ongoing, agency-wide security awareness program has\nbeen implemented. It includes first-time training for all new employees, contractors,\nand users, and yearly refresher training thereafter. All Corporation employees and\ncontractors are required to complete annual security awareness training. Training\nrequires all CNS users to acknowledge rules and guidelines by which they must abide.\nA daily security reminder is automatically displayed to employees during their log in\nprocess. In addition, application system user guides emphasize the user\'s security\nresponsibilities.\n\nThe number of CNS employees and contractors who received first time security\ntraining during 2001 Is about 200. All CNS employees and contractors, totaling\napproximately 750 individuals, received refresher security training during the year.\nThe total cost of providing such training was approximately $7,500 in contractor costs.\n\nQuestion 8. Describe the agency\'s documented procedures for reporting security\nincidents and sharing information regarding common vulnerabilities. Include a\ndescription of procedures for external reporting to law enforcement authorities and to\nthe General Services Administration\'s FEDCIRC. Include information on the actual\nperformance and the number of incidents reported.\n\n\n\n                                    Page E - 3\n\x0c                                                                           Appendix E\nmna\n  Response to Question 8: The following is quoted from the CNS "Computer Incident\n  Response Guidelines".\n\n             "If a computer security incident is detected, it must be reported\n             immediately to the OIT (Office of Information Technology) Director\n             and the ISSO (Information Systems Security Officer). In particular,\n             each end user must know how to contact the Director of OIT and the\n             ISSO.\n\n             The Director of OIT has the responsibility to report incident\n             information to upper management in a timely fashion. In addition, the\n             ISSO must report to the Director of OIT promptly in the event of a\n             serious breach of security. If there is evidence of criminal activity, it is\n             the responsibility of the OIT Director and ISSO to notify the\n             Corporation\'s OIG.\n\n             CAUTION: No Corporation staff member, except the designated\n             Corporation spokesperson (and FBI, if involved) has authority to\n             discuss any security incident with any person, agency, or organization\n             that is not in his or her chain of command."\n\n      In this calendar year, one incident has been reported to the Corporation\'s OIG and\n      to FEDCIRC. The Corporation recognizes the need to revise its guidelines to\n      comply with GISRA9snew reporting requirements.\n\n      Question 9. Describe how the agency integrates security into its capital planning and\n      investment control process. Were security requirements and costs reported on every\n      FY02 capital asset plan (as well as exhibit 53) submitted by the agency to OMB? If\n      no, why not?\n\n      Response to Question 9: CNS is a relatively small organization with a limited\n      number of senior officials. According to Corporation management, the same senior\n      officials comprise the Corporation\'s resource investment board and are involved in all\n      day to day policy decisions. Consequently, many resource investment decisions are\n      handled as day to day business, rather than being held for a formal board meeting.\n\n      Security requirements and costs were included, but not separately identified, in the\n      FY02 capital asset plan. An estimate of security costs was provided in the Exhibit 53\n      for FY02 submitted to OMB.\n\n      Question 10. Describe the specific methodology (e.g., Project Matrix review) used by\n      the agency to identify, prioritize, and protect critical assets within its enterprise\n      architecture, including links with key external systems.         Describe how the\n      methodology has been implemented.\n\n\n\n\n                                           Page E - 4\n\x0c                                                                        Appendix E\nma\n Response to Question 10: CNS has no national responsibilities for critical\n infrastructure protection. It has a relatively simple technical infrastructure for its\n internal operations. Most of the Corporation\'s servers and network components are\n centralized in one Washington, D.C. facility. That facility supports all of the\n Corporation\'s mission critical applications. It has external links to two systems whose\n operations are outsourced, a link to an alternate service provider for payroll, and a link\n to a backup and recovery site. Because of the high degree of centralization, and\n limited number of critical external links, there is only one security infrastructure that\n protects all critical assets.\n\n Question 11. Describe the measures of performance used by the head of the agency\n to ensure that the agency\'s information security plan is practiced throughout the life\n cycle of each agency system. Include information on the actual performance.\n\n Response to Question 11: The Corporation is currently developing only one new\n automated system, the Grants Management System (GMS). OIG has contracted with\n KPMG LLP to conduct a risk assessment of the GMS, including a review of\n development methods and the adequacy of internal controls for information security.\n This assessment is a prelude to OIG\'s certification of the GMS, as mandated by the\n Departments of Veterans Affairs and Housing and Urban Development, and\n Independent Agencies Appropriations Act for Fiscal Year 2001 (Public Law 106-377),\n once GMS achieves initial operational capability in approximately April 2002.\n\n The Corporation\'s planning and periodic status reporting documents show that the\n SDLC methodology has been used and that consideration has been given to security\n controls in the SDLC phases that have been completed for GMS to date. Additionally,\n frequent reviews of the GMS development project are being done by senior\n management, including a personal review by the Corporation\'s Chief Operating\n Officer at the completion of each major SDLC phase.\n\n     Question 12. Describe how the agency has integrated its information technology\n     security program with its critical infrastructure protection responsibilities, and other\n     security programs (e.g., physical and operational).\n\n     Response to Question 12: CNS makes no distinction between the critical\n     infrastructure protection and information technology security programs. They are\n     managed as one and the same. There is no separate prioritization of needs or\n     resources.\n\n     Question 13. Describe the specific methods (e.g., audits or inspections) used by the\n     agency to ensure that contractor provided services (e.g., network or website\n     operations) or services provided by another agency are adequately secure and meet the\n     requirements of the Security Act, OMB policy and N E T guidance, national security\n     policy, and agency policy.\n\n\n\n\n                                         Page E - 5\n\x0c                                                                   Appendix E\nma\n Response to Question 13: CNS has two mission critical systems that are out-sourced,\n one to another government agency and one to a commercial firm. In 2001, the CIO\n contracted for security assessments of these systems as part of the re-accreditation\n process. External penetration testing was a part of those security system assessments.\n The OIG also did an independent evaluation of the system out-sourced to another\n government agency. The evaluation included both external and internal penetration\n testing. The testing results were generally favorable.\n\n\n\n\n                                     Page E - 6\n\x0c'